CVE-2013-0156
Ruby on Rails XML Processor YAML Deserialization Scanner
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
12Exploited in Wild
-Decision
Descriptions
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
active_support/core_ext/hash/conversions.rb en Ruby on Rails anterior a v2.3.15, v3.0.x anterior a v3.0.19, v3.1.x anterior a v3.1.10, y v3.2.x anterior a v3.2.11 no restringe adecuadamente el "casting" de las variables de tipo cadena, lo que permite a atacantes remotos llevar a cabo ataques de inyección de objetos y la ejecución de código arbitrario o provocar una denegación de servicio (consumo de memoria y CPU) involucrando a referencias de entidades XML anidadas, aprovechando el soporte de Action Pack para lso tipos de conversion (1) YAML o (2) Symbol.
Ruby on Rails is a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Active Record implements object-relational mapping for accessing database entries using objects. Active Support provides support and utility classes used by the Ruby on Rails framework. Multiple flaws were found in the way Ruby on Rails performed XML parameter parsing in HTTP requests. A remote attacker could use these flaws to execute arbitrary code with the privileges of a Ruby on Rails application, perform SQL injection attacks, or bypass the authentication using a specially-created HTTP request.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2012-12-06 CVE Reserved
- 2013-01-08 CVE Published
- 2013-01-10 First Exploit
- 2024-08-06 CVE Updated
- 2025-07-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (29)
| URL | Tag | Source |
|---|---|---|
| http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A | Third Party Advisory | |
| http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html | Third Party Advisory | |
| http://www.insinuator.net/2013/01/rails-yaml | Third Party Advisory | |
| http://www.kb.cert.org/vuls/id/380039 | Third Party Advisory |
|
| http://www.kb.cert.org/vuls/id/628463 | Third Party Advisory |
|
| https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156 | Third Party Advisory | |
| https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain | Mailing List | |
| https://puppet.com/security/cve/cve-2013-0156 | Third Party Advisory | |
| https://www.rapid7.com/blog/post/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156 |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/181043 | 2024-09-01 | |
| https://packetstorm.news/files/id/119471 | 2013-01-11 | |
| https://www.exploit-db.com/exploits/27527 | 2013-08-12 | |
| https://www.exploit-db.com/exploits/24019 | 2013-01-10 | |
| https://github.com/heroku/heroku-CVE-2013-0156 | 2013-01-29 | |
| https://github.com/R3dKn33-zz/CVE-2013-0156 | 2019-05-27 | |
| https://github.com/terracatta/name_reverser | 2016-09-04 | |
| https://github.com/josal/crack-0.1.8-fixed | 2016-09-04 | |
| https://github.com/bsodmike/rails-exploit-cve-2013-0156 | 2019-03-16 | |
| https://github.com/Jjdt12/kuang_grade_mk11 | 2023-07-29 | |
| https://github.com/oxBEN10/CVE-2013-0156 | 2024-11-13 | |
| https://github.com/oxben10/CVE-2013-0156 | 2024-11-13 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | >= 3.2.0 < 3.2.11 Search vendor "Rubyonrails" for product "Rails" and version " >= 3.2.0 < 3.2.11" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Ruby On Rails Search vendor "Rubyonrails" for product "Ruby On Rails" | < 2.3.15 Search vendor "Rubyonrails" for product "Ruby On Rails" and version " < 2.3.15" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Ruby On Rails Search vendor "Rubyonrails" for product "Ruby On Rails" | >= 3.0.0 < 3.0.19 Search vendor "Rubyonrails" for product "Ruby On Rails" and version " >= 3.0.0 < 3.0.19" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Ruby On Rails Search vendor "Rubyonrails" for product "Ruby On Rails" | >= 3.1.0 < 3.1.10 Search vendor "Rubyonrails" for product "Ruby On Rails" and version " >= 3.1.0 < 3.1.10" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 6.0 Search vendor "Debian" for product "Debian Linux" and version "6.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||