Vulnerability Description
The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nori Gem Project | Nori Gem | 2.0.0 |
Related Weaknesses (CWE)
References
- http://seclists.org/oss-sec/2013/q1/304
- https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-v
- http://seclists.org/oss-sec/2013/q1/304
- https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-v
FAQ
What is CVE-2013-0285?
CVE-2013-0285 is a vulnerability with a CVSS score of 7.5 (HIGH). The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attack...
How severe is CVE-2013-0285?
CVE-2013-0285 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-0285?
Check the references section above for vendor advisories and patch information. Affected products include: Nori Gem Project Nori Gem.