Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-0269

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2013-0269
Last Modified 30 Oct 2013 11:30:57
Published 12 Feb 2013 08:55:05
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2013-0269

Summary

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

Vulnerable Systems

Application

  • Rubygems Json Gem 1.5.0

  • Rubygems Json Gem 1.5.1

  • Rubygems Json Gem 1.5.2

  • Rubygems Json Gem 1.5.3

  • Rubygems Json Gem 1.5.4

  • Rubygems Json Gem 1.6.0

  • Rubygems Json Gem 1.6.1

  • Rubygems Json Gem 1.6.2

  • Rubygems Json Gem 1.6.3

  • Rubygems Json Gem 1.6.4

  • Rubygems Json Gem 1.6.5

  • Rubygems Json Gem 1.6.6

  • Rubygems Json Gem 1.6.7

  • Rubygems Json Gem 1.7.0

  • Rubygems Json Gem 1.7.1

  • Rubygems Json Gem 1.7.2

  • Rubygems Json Gem 1.7.3

  • Rubygems Json Gem 1.7.4

  • Rubygems Json Gem 1.7.5

  • Rubygems Json Gem 1.7.6


References

CONFIRM - https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58

MISC - http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection

BID - 57899

OSVDB - 90074

MLIST - [oss-security] 20130211 Patch update for [CVE-2013-0269]

MLIST - [oss-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]

CONFIRM - http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/

SECUNIA - 52075

UBUNTU - USN-1733-1

CONFIRM - http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed

MLIST - [rubyonrails-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]

XF - json-ruby-security-bypass(82010)

SECUNIA - 52774

REDHAT - RHSA-2013:0686

SECUNIA - 52902

SUSE - openSUSE-SU-2013:0603

SLACKWARE - SSA:2013-075-01

REDHAT - RHSA-2013:0701

SUSE - SUSE-SU-2013:0647

SUSE - SUSE-SU-2013:0609

REDHAT - RHSA-2013:1028

REDHAT - RHSA-2013:1147

APPLE - APPLE-SA-2013-10-22-5


Last Updated: 27 May 2016 11:01:50