CVE-2013-0285

Published Apr 9, 2013

Last updated 12 years ago

Overview

Description: The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
Source: secalert@redhat.com
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 7.5
Impact score: 6.4
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-20

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nori_gem_project:nori_gem:2.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E7F11167-EC4D-44B6-A368-1F0EB3EE6F70"
          },
          {
            "criteria": "cpe:2.3:a:nori_gem_project:nori_gem:2.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1EA58AED-413C-419E-B36E-F3509D65513F"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nori_gem_project:nori_gem:1.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CB056B7F-7D12-40AC-AF17-45C0B60DED1F"
          },
          {
            "criteria": "cpe:2.3:a:nori_gem_project:nori_gem:1.1.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5076DB7D-D183-4B5F-907F-5A08B76E6675"
          },
          {
            "criteria": "cpe:2.3:a:nori_gem_project:nori_gem:1.1.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DC29C39B-6FBA-4C11-ACA8-A0575252BA36"
          },
          {
            "criteria": "cpe:2.3:a:nori_gem_project:nori_gem:1.1.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E6829ADA-BB4A-435C-91BC-0932BDC9B845"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nori_gem_project:nori_gem:1.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "15633FDB-CFBD-463A-8FFD-909DD219F9A9"
          },
          {
            "criteria": "cpe:2.3:a:nori_gem_project:nori_gem:1.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C7AAAAB1-7F6C-45C8-B13F-F97F84C90F11"
          },
          {
            "criteria": "cpe:2.3:a:nori_gem_project:nori_gem:1.0.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3BA998B4-1671-408E-A645-29FE42293FF6"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 2.0

Weaknesses

Configurations

References