CVE-2013-0156

Vulnerability Description

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01AThird Party AdvisoryUS Government Resource
• http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlMailing ListThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2013-0153.htmlThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2013-0154.htmlThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2013-0155.htmlThird Party Advisory
• http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-releasVendor Advisory
• http://www.debian.org/security/2013/dsa-2604Third Party Advisory
• http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-roThird Party Advisory
• http://www.insinuator.net/2013/01/rails-yaml/Third Party Advisory
• http://www.kb.cert.org/vuls/id/380039Third Party AdvisoryUS Government Resource
• http://www.kb.cert.org/vuls/id/628463Third Party AdvisoryUS Government Resource
• https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-Third Party Advisory
• https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=Third Party Advisory
• https://puppet.com/security/cve/cve-2013-0156Third Party Advisory
• http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01AThird Party AdvisoryUS Government Resource