CVE-2013-0156
Published: 13 January 2013
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Notes
Author | Note |
---|---|
mdeslaur | in Oneiric+, rails package is just for transition |
jdstrand | authentication bypass actively being exploited per Debian, on Ubuntu 11.10+, vulnerability is in ruby-activesupport* for rails |
Priority
Status
Package | Release | Status |
---|---|---|
libextlib-ruby Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Released
(0.9.13-2+deb6u1build0.12.04.1)
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
saucy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
rails Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
oneiric |
Not vulnerable
(contains no code)
|
|
precise |
Not vulnerable
(contains no code)
|
|
quantal |
Not vulnerable
(contains no code)
|
|
raring |
Not vulnerable
(contains no code)
|
|
saucy |
Not vulnerable
(contains no code)
|
|
trusty |
Does not exist
(trusty was not-affected [contains no code])
|
|
upstream |
Needs triage
|
|
utopic |
Not vulnerable
(contains no code)
|
|
vivid |
Not vulnerable
(contains no code)
|
|
Patches: vendor: http://www.debian.org/security/2013/dsa-2604 |
||
ruby-activesupport-2.3 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
oneiric |
Released
(2.3.14-2ubuntu0.11.10.1)
|
|
precise |
Released
(2.3.14-2ubuntu0.12.04.1)
|
|
quantal |
Released
(2.3.14-4ubuntu0.1)
|
|
raring |
Not vulnerable
(2.3.14-5)
|
|
saucy |
Not vulnerable
(2.3.14-5)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(2.3.14-5)
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
ruby-activesupport-3.2 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Released
(3.2.6-4ubuntu0.1)
|
|
raring |
Not vulnerable
(3.2.6-5)
|
|
saucy |
Not vulnerable
(3.2.6-5)
|
|
trusty |
Does not exist
(trusty was not-affected [3.2.6-5])
|
|
upstream |
Released
(3.2.6-5)
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
ruby-extlib Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Released
(0.9.15-2ubuntu0.1)
|
|
raring |
Not vulnerable
(0.9.15-3)
|
|
saucy |
Not vulnerable
(0.9.15-3)
|
|
trusty |
Does not exist
(trusty was not-affected [0.9.15-3])
|
|
upstream |
Released
(0.9.15-3)
|
|
utopic |
Not vulnerable
(0.9.15-3)
|
|
vivid |
Not vulnerable
(0.9.15-3)
|