Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2013-0156

Опубликовано: 08 янв. 2013
Источник: redhat
CVSS2: 7.5
EPSS Критический

Описание

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

Отчет

For details of affected products and workarounds see https://access.redhat.com/knowledge/node/290903

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat CloudForms Tools 1rubygem-activesupportAffected
CloudForms for RHEL 6rubygem-actionpackFixedRHSA-2013:015510.01.2013
CloudForms for RHEL 6rubygem-activerecordFixedRHSA-2013:015510.01.2013
CloudForms for RHEL 6rubygem-activesupportFixedRHSA-2013:015510.01.2013
Red Hat Subscription Asset Manager 1.1rubygem-actionpackFixedRHSA-2013:015410.01.2013
Red Hat Subscription Asset Manager 1.1rubygem-activerecordFixedRHSA-2013:015410.01.2013
Red Hat Subscription Asset Manager 1.1rubygem-activesupportFixedRHSA-2013:015410.01.2013
RHEL 6 Version of OpenShift Enterpriseruby193-rubygem-actionpackFixedRHSA-2013:015310.01.2013
RHEL 6 Version of OpenShift Enterpriseruby193-rubygem-activesupportFixedRHSA-2013:015310.01.2013
RHEL 6 Version of OpenShift Enterpriserubygem-actionpackFixedRHSA-2013:015310.01.2013

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Critical
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=892870rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack

EPSS

Процентиль: 100%
0.91907
Критический

7.5 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2013-0156

ubuntu
около 13 лет назад

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

nvd логотип

CVE-2013-0156

nvd
около 13 лет назад

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

debian логотип

CVE-2013-0156

debian
около 13 лет назад

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2. ...

github логотип

GHSA-jmgw-6vjg-jjwg

github
больше 8 лет назад

actionpack Improper Input Validation vulnerability

EPSS

Процентиль: 100%
0.91907
Критический

7.5 High

CVSS2