Описание
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra-legacy/trusty | DNE | |
| hardy | DNE | |
| lucid | ignored | end of life |
| oneiric | ignored | end of life |
| precise | released | 0.9.13-2+deb6u1build0.12.04.1 |
| quantal | DNE | |
| raring | DNE | |
| saucy | DNE | |
| trusty | DNE |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | contains no code |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was not-affected [contains no code]] |
| hardy | ignored | end of life |
| lucid | ignored | end of life |
| oneiric | not-affected | contains no code |
| precise | not-affected | contains no code |
| quantal | not-affected | contains no code |
| raring | not-affected | contains no code |
| saucy | not-affected | contains no code |
| trusty | not-affected | contains no code |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra-legacy/trusty | DNE | |
| hardy | DNE | |
| lucid | DNE | |
| oneiric | released | 2.3.14-2ubuntu0.11.10.1 |
| precise | released | 2.3.14-2ubuntu0.12.04.1 |
| quantal | released | 2.3.14-4ubuntu0.1 |
| raring | not-affected | 2.3.14-5 |
| saucy | not-affected | 2.3.14-5 |
| trusty | DNE |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was not-affected [3.2.6-5]] |
| hardy | DNE | |
| lucid | DNE | |
| oneiric | DNE | |
| precise | DNE | |
| quantal | released | 3.2.6-4ubuntu0.1 |
| raring | not-affected | 3.2.6-5 |
| saucy | not-affected | 3.2.6-5 |
| trusty | not-affected | 3.2.6-5 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 0.9.15-3 |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was not-affected [0.9.15-3]] |
| hardy | DNE | |
| lucid | DNE | |
| oneiric | DNE | |
| precise | DNE | |
| quantal | released | 0.9.15-2ubuntu0.1 |
| raring | not-affected | 0.9.15-3 |
| saucy | not-affected | 0.9.15-3 |
| trusty | not-affected | 0.9.15-3 |
Показывать по
EPSS
7.5 High
CVSS2
Связанные уязвимости
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2. ...
EPSS
7.5 High
CVSS2