Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2013-0269

Published: 13/02/2013 Updated: 09/12/2017
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Rubygems

Vulnerability Summary

The JSON gem prior to 1.5.5, 1.6.x prior to 1.6.8, and 1.7.x prior to 1.7.7 for Ruby allows remote malicious users to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

rubygems json gem 1.7.1

rubygems json gem 1.7.0

rubygems json gem 1.6.1

rubygems json gem 1.6.0

rubygems json gem 1.7.6

rubygems json gem 1.7.5

rubygems json gem 1.6.5

rubygems json gem 1.6.4

rubygems json gem 1.5.2

rubygems json gem 1.5.1

rubygems json gem 1.7.4

rubygems json gem 1.7.3

rubygems json gem 1.7.2

rubygems json gem 1.6.3

rubygems json gem 1.6.2

rubygems json gem 1.5.0

rubygems json gem 1.6.7

rubygems json gem 1.6.6

rubygems json gem 1.5.4

rubygems json gem 1.5.3

Vendor Advisories

Red Hat: Moderate: ruby193-ruby, rubygem-json and rubygem-rdoc security update
Synopsis Moderate: ruby193-ruby, rubygem-json and rubygem-rdoc security update Type/Severity Security Advisory: Moderate Topic Updated ruby193-ruby, rubygem-json and rubygem-rdoc packages that fix twosecurity issues are now available for Red Hat OpenShift Enterprise 113The Red Hat Security Response Team ...
Red Hat: Moderate: Subscription Asset Manager 1.2.1 update
Synopsis Moderate: Subscription Asset Manager 121 update Type/Severity Security Advisory: Moderate Topic Red Hat Subscription Asset Manager 121, which fixes several securityissues, multiple bugs, and adds various enhancements, is now availableThe Red Hat Security Response Team has rated this update as ...
Debian CVElist Bug Report Logs: Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]
Debian Bug report logs - #700436 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269] Package: ruby-json; Maintainer for ruby-json is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for ruby-json is src:ruby-json (PTS, buildd, popcon) Reported by: Ond ...
Ubuntu Security Notice: ruby1.9.1 vulnerabilities
Several security issues were fixed in Ruby ...

Github Repositories

https://github.com/heroku/heroku-CVE-2013-0269

Inspect all of your Heroku apps for vulnerable versions of the JSON gem

heroku-CVE-2013-0269 Inspect all of your heroku apps to see if they are running a vulnerable version of JSON Background A security vulnerability has been found in the Ruby JSON gem This is the root cause for the recently-announced MySQL injection issue in Rails A new release of the JSON gem is available Developers can get a full list of all your affected Heroku applications

References

CWE-20http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injectionhttp://www.openwall.com/lists/oss-security/2013/02/11/8http://www.osvdb.org/90074http://www.securityfocus.com/bid/57899http://secunia.com/advisories/52075http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/http://www.openwall.com/lists/oss-security/2013/02/11/7http://www.ubuntu.com/usn/USN-1733-1http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixedhttps://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplainhttp://secunia.com/advisories/52774http://rhn.redhat.com/errata/RHSA-2013-0686.htmlhttp://secunia.com/advisories/52902http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0701.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1028.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1147.htmlhttp://lists.apple.com/archives/security-announce/2013/Oct/msg00006.htmlhttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862https://exchange.xforce.ibmcloud.com/vulnerabilities/82010https://puppet.com/security/cve/cve-2013-0269https://access.redhat.com/errata/RHSA-2013:0701https://usn.ubuntu.com/1733-1/https://nvd.nist.gov
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
hardcodedarbitrary codeCVE-2024-2404CVE-2024-21111CVE-2024-28627CVE-2024-4073information disclosureCVE-2024-32780CVE-2024-4040
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook