Input validation error in Ruby on Rails - CVE-2013-0156
Published: January 14, 2013 / Updated: November 15, 2024
Vulnerability identifier: #VU31841
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2013-0156
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Rails
Affected software:
Ruby on Rails
Ruby on Rails
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
How to mitigate CVE-2013-0156
Install update from vendor's website.
Sources
- http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
- http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2013-0153.html
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
- http://rhn.redhat.com/errata/RHSA-2013-0155.html
- http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
- http://www.debian.org/security/2013/dsa-2604
- http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
- http://www.insinuator.net/2013/01/rails-yaml/
- http://www.kb.cert.org/vuls/id/380039
- http://www.kb.cert.org/vuls/id/628463
- https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
- https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
- https://puppet.com/security/cve/cve-2013-0156