Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2013-0156
Modified
More InfoOfficial Page
Source-secalert@redhat.com
View Known Exploited Vulnerability (KEV) details
Published At-13 Jan, 2013 | 22:55
Updated At-29 Apr, 2026 | 01:13

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
Ruby on Rails
rubyonrails
>>rails>>Versions from 3.2.0(inclusive) to 3.2.11(exclusive)
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Ruby on Rails
rubyonrails
>>ruby_on_rails>>Versions before 2.3.15(exclusive)
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
Ruby on Rails
rubyonrails
>>ruby_on_rails>>Versions from 3.0.0(inclusive) to 3.0.19(exclusive)
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
Ruby on Rails
rubyonrails
>>ruby_on_rails>>Versions from 3.1.0(inclusive) to 3.1.10(exclusive)
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
Debian GNU/Linux
debian
>>debian_linux>>6.0
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
Debian GNU/Linux
debian
>>debian_linux>>7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-20Primarynvd@nist.gov
CWE ID: CWE-20
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01Asecalert@redhat.com
Third Party Advisory
US Government Resource
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlsecalert@redhat.com
Mailing List
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0153.htmlsecalert@redhat.com
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0154.htmlsecalert@redhat.com
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0155.htmlsecalert@redhat.com
Third Party Advisory
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/secalert@redhat.com
Vendor Advisory
http://www.debian.org/security/2013/dsa-2604secalert@redhat.com
Third Party Advisory
http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.htmlsecalert@redhat.com
Third Party Advisory
http://www.insinuator.net/2013/01/rails-yaml/secalert@redhat.com
Third Party Advisory
http://www.kb.cert.org/vuls/id/380039secalert@redhat.com
Third Party Advisory
US Government Resource
http://www.kb.cert.org/vuls/id/628463secalert@redhat.com
Third Party Advisory
US Government Resource
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156secalert@redhat.com
Third Party Advisory
https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplainsecalert@redhat.com
Third Party Advisory
https://puppet.com/security/cve/cve-2013-0156secalert@redhat.com
Third Party Advisory
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01Aaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlaf854a3a-2127-422b-91ae-364da2661108
Mailing List
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0153.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0154.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0155.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://www.debian.org/security/2013/dsa-2604af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://www.insinuator.net/2013/01/rails-yaml/af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://www.kb.cert.org/vuls/id/380039af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
http://www.kb.cert.org/vuls/id/628463af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplainaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://puppet.com/security/cve/cve-2013-0156af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
Source: secalert@redhat.com
Resource:
Third Party Advisory
US Government Resource
Hyperlink: http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
Source: secalert@redhat.com
Resource:
Mailing List
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0153.html
Source: secalert@redhat.com
Resource:
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0154.html
Source: secalert@redhat.com
Resource:
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0155.html
Source: secalert@redhat.com
Resource:
Third Party Advisory
Hyperlink: http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
Source: secalert@redhat.com
Resource:
Vendor Advisory
Hyperlink: http://www.debian.org/security/2013/dsa-2604
Source: secalert@redhat.com
Resource:
Third Party Advisory
Hyperlink: http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
Source: secalert@redhat.com
Resource:
Third Party Advisory
Hyperlink: http://www.insinuator.net/2013/01/rails-yaml/
Source: secalert@redhat.com
Resource:
Third Party Advisory
Hyperlink: http://www.kb.cert.org/vuls/id/380039
Source: secalert@redhat.com
Resource:
Third Party Advisory
US Government Resource
Hyperlink: http://www.kb.cert.org/vuls/id/628463
Source: secalert@redhat.com
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
Source: secalert@redhat.com
Resource:
Third Party Advisory
Hyperlink: https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
Source: secalert@redhat.com
Resource:
Third Party Advisory
Hyperlink: https://puppet.com/security/cve/cve-2013-0156
Source: secalert@redhat.com
Resource:
Third Party Advisory
Hyperlink: http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0153.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0154.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0155.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://www.debian.org/security/2013/dsa-2604
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://www.insinuator.net/2013/01/rails-yaml/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://www.kb.cert.org/vuls/id/380039
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: http://www.kb.cert.org/vuls/id/628463
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: https://puppet.com/security/cve/cve-2013-0156
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Change History
0Changes found
Details not found