PT-2013-2202 · Ruby+1 · Ruby On Rails+3

Ben Murphy

Publicado

2013-02-12

Atualizado

2022-04-18

CVE-2013-0269

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions JSON gem versions prior to 1.5.5 JSON gem versions 1.6.x prior to 1.6.8 JSON gem versions 1.7.x prior to 1.7.7

Description The issue allows remote attackers to cause a denial of service or bypass the mass assignment protection mechanism via a crafted JSON document. This can trigger the creation of arbitrary Ruby symbols or certain internal objects, potentially leading to attacks such as SQL injection against Ruby on Rails.

Recommendations For JSON gem versions prior to 1.5.5, update to version 1.5.5 or later. For JSON gem versions 1.6.x prior to 1.6.8, update to version 1.6.8 or later. For JSON gem versions 1.7.x prior to 1.7.7, update to version 1.7.7 or later.

Exploit

Correção

DoS

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2013-0269

DLA-215-1

DLA-2192-1

DLA-263-1

GHSA-X457-CW4H-HQ5F

RHSA-2013:0701

SUSE-SU-2013_0609-2

USN-1733-1

Produtos afetados

Json Gem

Ruby

Ruby On Rails

Suse

PT-2013-2202 · Ruby+1 · Ruby On Rails+3

CVE-2013-0269

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 43