CVE-2013-0269

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

References

http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html

http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html

http://rhn.redhat.com/errata/RHSA-2013-0686.html

http://rhn.redhat.com/errata/RHSA-2013-0701.html

http://rhn.redhat.com/errata/RHSA-2013-1028.html

http://rhn.redhat.com/errata/RHSA-2013-1147.html

http://secunia.com/advisories/52075

http://secunia.com/advisories/52774

http://secunia.com/advisories/52902

http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed

http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/

http://www.openwall.com/lists/oss-security/2013/02/11/7

http://www.openwall.com/lists/oss-security/2013/02/11/8

http://www.osvdb.org/90074

http://www.securityfocus.com/bid/57899

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862

http://www.ubuntu.com/usn/USN-1733-1

http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection

https://exchange.xforce.ibmcloud.com/vulnerabilities/82010

https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain

https://puppet.com/security/cve/cve-2013-0269

Details

Source: MITRE

Published: 2013-02-13

Updated: 2017-12-09

Type: CWE-20

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

Tenable Plugins

View all (16 total)

IDNameProductFamilySeverity
149871Amazon Linux 2 : ruby (ALAS-2021-1641)NessusAmazon Linux Local Security Checks
high
140096Amazon Linux AMI : ruby24 (ALAS-2020-1422)NessusAmazon Linux Local Security Checks
high
140094Amazon Linux AMI : ruby19 (ALAS-2020-1426)NessusAmazon Linux Local Security Checks
high
140093Amazon Linux AMI : rubygem-json-debuginfo (ALAS-2020-1423)NessusAmazon Linux Local Security Checks
high
119437RHEL 6 : ruby193-ruby, rubygem-json and rubygem-rdoc (RHSA-2013:0701)NessusRed Hat Local Security Checks
high
84494Debian DLA-263-1 : ruby1.9.1 security updateNessusDebian Local Security Checks
high
83167Debian DLA-215-1 : libjson-ruby security updateNessusDebian Local Security Checks
high
79980GLSA-201412-27 : Ruby: Denial of ServiceNessusGentoo Local Security Checks
high
74955openSUSE Security Update : ruby (openSUSE-SU-2013:0603-1)NessusSuSE Local Security Checks
high
70590Mac OS X : OS X Server < 3.0 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
65904RHEL 6 : Subscription Asset Manager (RHSA-2013:0686)NessusRed Hat Local Security Checks
high
65583Slackware 13.1 / 13.37 / 14.0 / current : ruby (SSA:2013-075-01)NessusSlackware Local Security Checks
high
65040Fedora 18 : rubygem-json-1.6.8-1.fc18 (2013-3052)NessusFedora Local Security Checks
high
65039Fedora 17 : rubygem-json-1.6.8-1.fc17 (2013-3050)NessusFedora Local Security Checks
high
64799Ubuntu 12.04 LTS / 12.10 : ruby1.9.1 vulnerabilities (USN-1733-1)NessusUbuntu Local Security Checks
high
64652FreeBSD : Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON (c79eb109-a754-45d7-b552-a42099eb2265)NessusFreeBSD Local Security Checks
high