GHSA-4936-rj25-6wm6

Source

https://github.com/advisories/GHSA-4936-rj25-6wm6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-4936-rj25-6wm6/GHSA-4936-rj25-6wm6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4936-rj25-6wm6

Aliases

CVE-2013-0285

Published

2017-10-24T18:33:37Z

Modified

2024-11-29T05:28:02.729764Z

Summary

nori contains Improper Input Validation

Details

The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:57:55Z"
}

References

Affected packages

RubyGems / nori

Package

Name: nori
Purl: pkg:gem/nori

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.2

Affected versions

2.*

2.0.0

RubyGems / nori

Package

Name: nori
Purl: pkg:gem/nori

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.0

Fixed

1.1.4

Affected versions

1.*

1.1.0

1.1.2

1.1.3

RubyGems / nori

Package

Name: nori
Purl: pkg:gem/nori

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.3

Affected versions

1.*

1.0.0

1.0.1

1.0.2