CVE-2013-0269
rubygem-json: Denial of Service and SQL Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
El JSON gem v1.7.x anteriores a 1.7.7, v1.6.x anteriores a v1.6.8, y v1.5.x anteriores a v1.5.5 permite a atacantes remotos provocar una denegación de servicio (consumo de recursos) o evitar el mecanismo de protección de asignación masiva a través de un documento JSON manipulado que lanza la creación de símbolos arbitrarios en Ruby o ciertos objetos internos, como se demostró como se ha demostrado mediante la realización de un ataque de inyección SQL en Ruby on Rails, también conocido como "Vulnerabilidad de creación de objetos no seguro".
Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA Platform 5.3.1. It includes various bug fixes. The following security issues are also fixed with this release: The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2012-12-06 CVE Reserved
- 2013-02-13 CVE Published
- 2013-02-20 First Exploit
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (26)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/52774 | Third Party Advisory | |
| http://secunia.com/advisories/52902 | Third Party Advisory | |
| http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed | X_refsource_confirm | |
| http://www.openwall.com/lists/oss-security/2013/02/11/7 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2013/02/11/8 | Mailing List |
|
| http://www.osvdb.org/90074 | Vdb Entry | |
| http://www.securityfocus.com/bid/57899 | Vdb Entry | |
| http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection | X_refsource_misc | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/82010 | Vdb Entry | |
| https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain | Mailing List | |
| https://puppet.com/security/cve/cve-2013-0269 | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://github.com/heroku/heroku-CVE-2013-0269 | 2013-02-20 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.5.0 Search vendor "Rubygems" for product "Json Gem" and version "1.5.0" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.5.1 Search vendor "Rubygems" for product "Json Gem" and version "1.5.1" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.5.2 Search vendor "Rubygems" for product "Json Gem" and version "1.5.2" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.5.3 Search vendor "Rubygems" for product "Json Gem" and version "1.5.3" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.5.4 Search vendor "Rubygems" for product "Json Gem" and version "1.5.4" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.6.0 Search vendor "Rubygems" for product "Json Gem" and version "1.6.0" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.6.1 Search vendor "Rubygems" for product "Json Gem" and version "1.6.1" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.6.2 Search vendor "Rubygems" for product "Json Gem" and version "1.6.2" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.6.3 Search vendor "Rubygems" for product "Json Gem" and version "1.6.3" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.6.4 Search vendor "Rubygems" for product "Json Gem" and version "1.6.4" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.6.5 Search vendor "Rubygems" for product "Json Gem" and version "1.6.5" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.6.6 Search vendor "Rubygems" for product "Json Gem" and version "1.6.6" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.6.7 Search vendor "Rubygems" for product "Json Gem" and version "1.6.7" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.7.0 Search vendor "Rubygems" for product "Json Gem" and version "1.7.0" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.7.1 Search vendor "Rubygems" for product "Json Gem" and version "1.7.1" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.7.2 Search vendor "Rubygems" for product "Json Gem" and version "1.7.2" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.7.3 Search vendor "Rubygems" for product "Json Gem" and version "1.7.3" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.7.4 Search vendor "Rubygems" for product "Json Gem" and version "1.7.4" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.7.5 Search vendor "Rubygems" for product "Json Gem" and version "1.7.5" | - |
Affected
| ||||||
| Rubygems Search vendor "Rubygems" | Json Gem Search vendor "Rubygems" for product "Json Gem" | 1.7.6 Search vendor "Rubygems" for product "Json Gem" and version "1.7.6" | - |
Affected
| ||||||