Vulnerabilites related to rubygems - json_gem
CVE-2013-0269 (GCVE-0-2013-0269)
Vulnerability from cvelistv5
Published
2013-02-13 01:00
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2013:0701",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"
},
{
"name": "openSUSE-SU-2013:0603",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"
},
{
"name": "APPLE-SA-2013-10-22-5",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"name": "SSA:2013-075-01",
"tags": [
"vendor-advisory",
"x_refsource_SLACKWARE",
"x_transferred"
],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2013\u0026m=slackware-security.426862"
},
{
"name": "52774",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52774"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"name": "[rubyonrails-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source\u0026output=gplain"
},
{
"name": "90074",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/90074"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://puppet.com/security/cve/cve-2013-0269"
},
{
"name": "52902",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52902"
},
{
"name": "RHSA-2013:0686",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"name": "57899",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/57899"
},
{
"name": "[oss-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"
},
{
"name": "[oss-security] 20130211 Patch update for [CVE-2013-0269]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"
},
{
"name": "USN-1733-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1733-1"
},
{
"name": "SUSE-SU-2013:0609",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"
},
{
"name": "RHSA-2013:1028",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"
},
{
"name": "json-ruby-security-bypass(82010)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"
},
{
"name": "RHSA-2013:1147",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"name": "52075",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52075"
},
{
"name": "SUSE-SU-2013:0647",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-08T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2013:0701",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"
},
{
"name": "openSUSE-SU-2013:0603",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"
},
{
"name": "APPLE-SA-2013-10-22-5",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"name": "SSA:2013-075-01",
"tags": [
"vendor-advisory",
"x_refsource_SLACKWARE"
],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2013\u0026m=slackware-security.426862"
},
{
"name": "52774",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52774"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"name": "[rubyonrails-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source\u0026output=gplain"
},
{
"name": "90074",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/90074"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://puppet.com/security/cve/cve-2013-0269"
},
{
"name": "52902",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52902"
},
{
"name": "RHSA-2013:0686",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"name": "57899",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/57899"
},
{
"name": "[oss-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"
},
{
"name": "[oss-security] 20130211 Patch update for [CVE-2013-0269]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"
},
{
"name": "USN-1733-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1733-1"
},
{
"name": "SUSE-SU-2013:0609",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"
},
{
"name": "RHSA-2013:1028",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"
},
{
"name": "json-ruby-security-bypass(82010)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"
},
{
"name": "RHSA-2013:1147",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"name": "52075",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52075"
},
{
"name": "SUSE-SU-2013:0647",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0269",
"datePublished": "2013-02-13T01:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2013-02-13 01:55
Modified
2025-04-11 00:51
Severity ?
Summary
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html | ||
| secalert@redhat.com | http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html | ||
| secalert@redhat.com | http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html | ||
| secalert@redhat.com | http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html | ||
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2013-0686.html | ||
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2013-0701.html | ||
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2013-1028.html | ||
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2013-1147.html | ||
| secalert@redhat.com | http://secunia.com/advisories/52075 | Vendor Advisory | |
| secalert@redhat.com | http://secunia.com/advisories/52774 | ||
| secalert@redhat.com | http://secunia.com/advisories/52902 | ||
| secalert@redhat.com | http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed | ||
| secalert@redhat.com | http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ | Vendor Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2013/02/11/7 | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2013/02/11/8 | ||
| secalert@redhat.com | http://www.osvdb.org/90074 | ||
| secalert@redhat.com | http://www.securityfocus.com/bid/57899 | ||
| secalert@redhat.com | http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862 | ||
| secalert@redhat.com | http://www.ubuntu.com/usn/USN-1733-1 | ||
| secalert@redhat.com | http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection | ||
| secalert@redhat.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/82010 | ||
| secalert@redhat.com | https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain | ||
| secalert@redhat.com | https://puppet.com/security/cve/cve-2013-0269 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2013-0686.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2013-0701.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2013-1028.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2013-1147.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/52075 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/52774 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/52902 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2013/02/11/7 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2013/02/11/8 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.osvdb.org/90074 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/57899 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.ubuntu.com/usn/USN-1733-1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/82010 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://puppet.com/security/cve/cve-2013-0269 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubygems | json_gem | 1.5.0 | |
| rubygems | json_gem | 1.5.1 | |
| rubygems | json_gem | 1.5.2 | |
| rubygems | json_gem | 1.5.3 | |
| rubygems | json_gem | 1.5.4 | |
| rubygems | json_gem | 1.6.0 | |
| rubygems | json_gem | 1.6.1 | |
| rubygems | json_gem | 1.6.2 | |
| rubygems | json_gem | 1.6.3 | |
| rubygems | json_gem | 1.6.4 | |
| rubygems | json_gem | 1.6.5 | |
| rubygems | json_gem | 1.6.6 | |
| rubygems | json_gem | 1.6.7 | |
| rubygems | json_gem | 1.7.0 | |
| rubygems | json_gem | 1.7.1 | |
| rubygems | json_gem | 1.7.2 | |
| rubygems | json_gem | 1.7.3 | |
| rubygems | json_gem | 1.7.4 | |
| rubygems | json_gem | 1.7.5 | |
| rubygems | json_gem | 1.7.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1A6068E1-1BB1-4FBE-A4DA-C303B2E65E1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6572D2E9-1D09-4245-BEB3-A3BCF3C4455C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "56DF3383-1E82-4FA0-B92F-1C96DAB5C12C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3EFA5025-DFED-4540-B773-5777ACE013C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9EB792B2-FF20-4C39-B2DD-171E6B8317F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A65B497E-F658-4E6D-810C-97C56FF0AAF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6D8A1269-441E-48E1-A0F2-949C49FFAEC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DC0420E6-84C8-4210-AB79-875564741330",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "73665EA1-E35D-469D-8898-163FB8DF34AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB8EC9A-8CC4-4A71-A026-6FB98DA1A35F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "530A8D3B-AFF0-4316-A4B5-B222A73CD9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "89AE459A-4169-47F4-9B40-344002352C61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "9FC8E7A7-7A94-497E-B8C2-B4A0CBD4BD7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D696FD5D-3DAD-4AAB-A3C7-1865739922D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "88A3B72B-5784-4169-88DA-9EF51C5CE907",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0B59F779-5E90-40E3-ABC8-58A7EC3C7E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "979B9AA8-3E70-4BCF-8C2F-3C872AF8A7B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7DCB75C6-3E7A-41C7-8513-8766C4ED73F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "717A9E8C-9E3E-4F55-8CD4-D9E6CF670C5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "52D8BF48-03A7-4EFA-B626-A92C8570CB86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""
},
{
"lang": "es",
"value": "El JSON gem v1.7.x anteriores a 1.7.7, v1.6.x anteriores a v1.6.8, y v1.5.x anteriores a v1.5.5 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de recursos) o evitar el mecanismo de protecci\u00f3n de asignaci\u00f3n masiva a trav\u00e9s de un documento JSON manipulado que lanza la creaci\u00f3n de s\u00edmbolos arbitrarios en Ruby o ciertos objetos internos, como se demostr\u00f3 como se ha demostrado mediante la realizaci\u00f3n de un ataque de inyecci\u00f3n SQL en Ruby on Rails, tambi\u00e9n conocido como \"Vulnerabilidad de creaci\u00f3n de objetos no seguro\"."
}
],
"id": "CVE-2013-0269",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-02-13T01:55:05.107",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52075"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/52774"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/52902"
},
{
"source": "secalert@redhat.com",
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/90074"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/57899"
},
{
"source": "secalert@redhat.com",
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2013\u0026m=slackware-security.426862"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-1733-1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2013-0269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52075"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/52774"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/52902"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/90074"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/57899"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2013\u0026m=slackware-security.426862"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1733-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2013-0269"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}