Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

CVE-2013-0269

UNKNOWN

Published 2013-02-13T01:00:00

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2013-0269. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

JSON gem has Improper Input Validation vulnerability

GHSA-x457-cw4h-hq5f

Advisory Details

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

Affected Packages

RubyGems json

ECOSYSTEM: ≥0 <1.5.5

RubyGems json

ECOSYSTEM: ≥1.6.0 <1.6.8

RubyGems json

ECOSYSTEM: ≥1.7.0 <1.7.7

CVSS Scoring

CVSS Score

7.5

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2013-0269

WEB https://exchange.xforce.ibmcloud.com/vulnerabilities/82010

PACKAGE https://github.com/flori/json

WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml

WEB https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain

WEB https://web.archive.org/web/20130228082541/http://www.securityfocus.com/bid/57899

WEB https://web.archive.org/web/20160331131233/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed

WEB https://web.archive.org/web/20160808163226/https://puppet.com/security/cve/cve-2013-0269

WEB http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html

WEB http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html

WEB http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html

WEB http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html

WEB http://rhn.redhat.com/errata/RHSA-2013-0686.html

WEB http://rhn.redhat.com/errata/RHSA-2013-0701.html

WEB http://rhn.redhat.com/errata/RHSA-2013-1028.html

WEB http://rhn.redhat.com/errata/RHSA-2013-1147.html

WEB http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released

WEB http://www.openwall.com/lists/oss-security/2013/02/11/7

WEB http://www.openwall.com/lists/oss-security/2013/02/11/8

WEB http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862

WEB http://www.ubuntu.com/usn/USN-1733-1

WEB http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection

Advisory provided by GitHub Security Advisory Database. Published: October 24, 2017, Modified: June 1, 2023

References

http://rhn.redhat.com/errata/RHSA-2013-0701.html

http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html

http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862

http://secunia.com/advisories/52774

http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed

https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain

http://www.osvdb.org/90074

https://puppet.com/security/cve/cve-2013-0269

http://secunia.com/advisories/52902

http://rhn.redhat.com/errata/RHSA-2013-0686.html

http://www.securityfocus.com/bid/57899

http://www.openwall.com/lists/oss-security/2013/02/11/7

http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection

http://www.openwall.com/lists/oss-security/2013/02/11/8

http://www.ubuntu.com/usn/USN-1733-1

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html

http://rhn.redhat.com/errata/RHSA-2013-1028.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/82010

http://rhn.redhat.com/errata/RHSA-2013-1147.html

http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/

http://secunia.com/advisories/52075

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html

HackerOne Reports

Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON) Medium

jeremyevans

Ruby

$500.00

Business Logic Errors

Published: 2013-02-13T01:00:00

Last Modified: 2024-08-06T14:18:09.563Z

Copied to clipboard!