Описание
The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | contains no code |
| esm-apps/xenial | not-affected | contains no code |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was not-affected [contains no code]] |
| hardy | ignored | end of life |
| lucid | ignored | end of life |
| oneiric | not-affected | contains no code |
| precise | not-affected | contains no code |
| precise/esm | DNE | precise was not-affected [contains no code] |
| quantal | not-affected | contains no code |
| raring | not-affected | contains no code |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra-legacy/trusty | DNE | |
| hardy | DNE | |
| lucid | DNE | |
| oneiric | ignored | end of life |
| precise | ignored | end of life |
| precise/esm | DNE | precise was needed |
| quantal | ignored | end of life |
| raring | ignored | end of life |
| saucy | ignored | end of life |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was not-affected [3.2.16-3]] |
| hardy | DNE | |
| lucid | DNE | |
| oneiric | DNE | |
| precise | DNE | |
| precise/esm | DNE | |
| quantal | ignored | end of life |
| raring | ignored | end of life |
| saucy | not-affected | 3.2.13-7 |
Показывать по
Ссылки на источники
EPSS
7.5 High
CVSS2
Связанные уязвимости
The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
EPSS
7.5 High
CVSS2