CVE-2013-0156

Description

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

How to fix CVE-2013-0156

To remediate CVE-2013-0156, upgrade the affected package to a fixed version below.

• —upgrade to 2.3.14.1 or later
• —upgrade to 2.3.5-1.2+squeeze4.1 or later
• —upgrade to 2.3.15 or later

Is CVE-2013-0156 being exploited?

Likely — EPSS is 91.9%, placing CVE-2013-0156 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

• from 0, < 2.3.14.1
• from 0, < 2.3.5-1.2+squeeze4.1
• from 0, < 2.3.15

References (17)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-0156
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-0156
• PATCHgithub.com/rails/rails
• WEBrhn.redhat.com/errata/RHSA-2013-0153.html
• WEBrhn.redhat.com