PT-2013-2202 · Ruby+1 · Ruby On Rails+3

Ben Murphy

Published

2013-02-12

Updated

2022-04-18

CVE-2013-0269

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions JSON gem versions prior to 1.5.5 JSON gem versions 1.6.x prior to 1.6.8 JSON gem versions 1.7.x prior to 1.7.7

Description The issue allows remote attackers to cause a denial of service or bypass the mass assignment protection mechanism via a crafted JSON document. This can trigger the creation of arbitrary Ruby symbols or certain internal objects, potentially leading to attacks such as SQL injection against Ruby on Rails.

Recommendations For JSON gem versions prior to 1.5.5, update to version 1.5.5 or later. For JSON gem versions 1.6.x prior to 1.6.8, update to version 1.6.8 or later. For JSON gem versions 1.7.x prior to 1.7.7, update to version 1.7.7 or later.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2013-0269

DLA-215-1

DLA-2192-1

DLA-263-1

GHSA-X457-CW4H-HQ5F

RHSA-2013:0701

SUSE-SU-2013_0609-2

USN-1733-1

Affected Products

Json Gem

Ruby

Ruby On Rails

Suse

PT-2013-2202 · Ruby+1 · Ruby On Rails+3

CVE-2013-0269

Weakness Enumeration

Related Identifiers

Affected Products

References · 43