Vulnerability   
Search   
    Search 191973 CVE descriptions
and 86218 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

CVE ID:CVE-2013-0156
Description:active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Test IDs: 1.3.6.1.4.1.25623.1.0.802050   1.3.6.1.4.1.25623.1.0.702604  
Cross References: Common Vulnerability Exposure (CVE) ID: CVE-2013-0156
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
CERT/CC vulnerability note: VU#380039
http://www.kb.cert.org/vuls/id/380039
CERT/CC vulnerability note: VU#628463
http://www.kb.cert.org/vuls/id/628463
Debian Security Information: DSA-2604 (Google Search)
http://www.debian.org/security/2013/dsa-2604
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
http://www.insinuator.net/2013/01/rails-yaml/
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
RedHat Security Advisories: RHSA-2013:0153
http://rhn.redhat.com/errata/RHSA-2013-0153.html
RedHat Security Advisories: RHSA-2013:0154
http://rhn.redhat.com/errata/RHSA-2013-0154.html
RedHat Security Advisories: RHSA-2013:0155
http://rhn.redhat.com/errata/RHSA-2013-0155.html




© 1998-2021 E-Soft Inc. All rights reserved.