CVE-2013-1854
rubygem-activerecord: attribute_dos Symbol DoS vulnerability
Severity Score
5.0
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
El componente Active Record en Ruby on Rails v2.3.x anterior a v2.3.18, v3.1.x anterior a v3.1.12, y v3.2.x anterior a v3.2.13, procesa determinadas consultas mediante la conversión de los hash de las claves a símbolos, lo que permite a atacantes remotos provocar una denegación de servicio a través de una entrada manipulada al método "where".
A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-02-19 CVE Reserved
- 2013-03-19 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| http://support.apple.com/kb/HT5784 | X_refsource_confirm |
|
| http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released | X_refsource_confirm | |
| https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain | Mailing List |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.0 Search vendor "Rubyonrails" for product "Rails" and version "2.3.0" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.1 Search vendor "Rubyonrails" for product "Rails" and version "2.3.1" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.2 Search vendor "Rubyonrails" for product "Rails" and version "2.3.2" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.3 Search vendor "Rubyonrails" for product "Rails" and version "2.3.3" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.4 Search vendor "Rubyonrails" for product "Rails" and version "2.3.4" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.9 Search vendor "Rubyonrails" for product "Rails" and version "2.3.9" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.10 Search vendor "Rubyonrails" for product "Rails" and version "2.3.10" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.11 Search vendor "Rubyonrails" for product "Rails" and version "2.3.11" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.12 Search vendor "Rubyonrails" for product "Rails" and version "2.3.12" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.13 Search vendor "Rubyonrails" for product "Rails" and version "2.3.13" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.14 Search vendor "Rubyonrails" for product "Rails" and version "2.3.14" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.15 Search vendor "Rubyonrails" for product "Rails" and version "2.3.15" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.3.16 Search vendor "Rubyonrails" for product "Rails" and version "2.3.16" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | beta1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | rc1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | rc2 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | rc3 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | rc4 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | rc5 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | rc6 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | rc7 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.0 Search vendor "Rubyonrails" for product "Rails" and version "3.1.0" | rc8 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.1 Search vendor "Rubyonrails" for product "Rails" and version "3.1.1" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.1 Search vendor "Rubyonrails" for product "Rails" and version "3.1.1" | rc1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.1 Search vendor "Rubyonrails" for product "Rails" and version "3.1.1" | rc2 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.1 Search vendor "Rubyonrails" for product "Rails" and version "3.1.1" | rc3 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.2 Search vendor "Rubyonrails" for product "Rails" and version "3.1.2" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.2 Search vendor "Rubyonrails" for product "Rails" and version "3.1.2" | rc1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.2 Search vendor "Rubyonrails" for product "Rails" and version "3.1.2" | rc2 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.3 Search vendor "Rubyonrails" for product "Rails" and version "3.1.3" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.4 Search vendor "Rubyonrails" for product "Rails" and version "3.1.4" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.4 Search vendor "Rubyonrails" for product "Rails" and version "3.1.4" | rc1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.5 Search vendor "Rubyonrails" for product "Rails" and version "3.1.5" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.5 Search vendor "Rubyonrails" for product "Rails" and version "3.1.5" | rc1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.6 Search vendor "Rubyonrails" for product "Rails" and version "3.1.6" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.7 Search vendor "Rubyonrails" for product "Rails" and version "3.1.7" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.8 Search vendor "Rubyonrails" for product "Rails" and version "3.1.8" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.9 Search vendor "Rubyonrails" for product "Rails" and version "3.1.9" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.1.10 Search vendor "Rubyonrails" for product "Rails" and version "3.1.10" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.0 Search vendor "Rubyonrails" for product "Rails" and version "3.2.0" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.0 Search vendor "Rubyonrails" for product "Rails" and version "3.2.0" | rc1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.0 Search vendor "Rubyonrails" for product "Rails" and version "3.2.0" | rc2 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.1 Search vendor "Rubyonrails" for product "Rails" and version "3.2.1" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.2 Search vendor "Rubyonrails" for product "Rails" and version "3.2.2" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.2 Search vendor "Rubyonrails" for product "Rails" and version "3.2.2" | rc1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.3 Search vendor "Rubyonrails" for product "Rails" and version "3.2.3" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.3 Search vendor "Rubyonrails" for product "Rails" and version "3.2.3" | rc1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.3 Search vendor "Rubyonrails" for product "Rails" and version "3.2.3" | rc2 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.4 Search vendor "Rubyonrails" for product "Rails" and version "3.2.4" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.4 Search vendor "Rubyonrails" for product "Rails" and version "3.2.4" | rc1 |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.5 Search vendor "Rubyonrails" for product "Rails" and version "3.2.5" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.6 Search vendor "Rubyonrails" for product "Rails" and version "3.2.6" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.7 Search vendor "Rubyonrails" for product "Rails" and version "3.2.7" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.8 Search vendor "Rubyonrails" for product "Rails" and version "3.2.8" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.9 Search vendor "Rubyonrails" for product "Rails" and version "3.2.9" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.10 Search vendor "Rubyonrails" for product "Rails" and version "3.2.10" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.11 Search vendor "Rubyonrails" for product "Rails" and version "3.2.11" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 3.2.12 Search vendor "Rubyonrails" for product "Rails" and version "3.2.12" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Ruby On Rails Search vendor "Rubyonrails" for product "Ruby On Rails" | 2.3.17 Search vendor "Rubyonrails" for product "Ruby On Rails" and version "2.3.17" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Ruby On Rails Search vendor "Rubyonrails" for product "Ruby On Rails" | 3.1.11 Search vendor "Rubyonrails" for product "Ruby On Rails" and version "3.1.11" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Affected
| ||||||