GHSA-jmgw-6vjg-jjwg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jmgw-6vjg-jjwg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-jmgw-6vjg-jjwg/GHSA-jmgw-6vjg-jjwg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jmgw-6vjg-jjwg
- Aliases
- Published
- 2017-10-24T18:33:37Z
- Modified
- 2024-11-30T05:30:38.293209Z
- Summary
- actionpack Improper Input Validation vulnerability
- Details
-
active_support/core_ext/hash/conversions.rbin Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion. - Database specific
{ "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-20" ], "nvd_published_at": "2013-01-13T22:55:00Z", "github_reviewed_at": "2020-06-16T21:43:48Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-0156
- https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
- https://github.com/rails/rails
- https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
- https://web.archive.org/web/20140111025708/http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- https://web.archive.org/web/20160415043747/https://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
- https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156
- http://rhn.redhat.com/errata/RHSA-2013-0153.html
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
- http://rhn.redhat.com/errata/RHSA-2013-0155.html
- http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
- http://www.debian.org/security/2013/dsa-2604
- http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
- http://www.insinuator.net/2013/01/rails-yaml
- http://www.kb.cert.org/vuls/id/380039
- http://www.kb.cert.org/vuls/id/628463
Affected packages
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.15
Affected versions
0.*
0.9.0
0.9.5
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.5.1
1.6.0
1.7.0
1.8.0
1.8.1
1.9.0
1.9.1
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
2.2.2
2.2.3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8.pre1
2.3.8
2.3.9.pre
2.3.9
2.3.10
2.3.11
2.3.12
2.3.14
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack
Affected versions
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1
3.0.4
3.0.5.rc1
3.0.5
3.0.6.rc1
3.0.6.rc2
3.0.6
3.0.7.rc1
3.0.7.rc2
3.0.7
3.0.8.rc1
3.0.8.rc2
3.0.8.rc4
3.0.8
3.0.9.rc1
3.0.9.rc3
3.0.9.rc4
3.0.9.rc5
3.0.9
3.0.10.rc1
3.0.10
3.0.11
3.0.12.rc1
3.0.12
3.0.13.rc1
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack