CVE - CVE-2013-0269

CVE-ID
CVE-2013-0269	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269] URL:http://www.openwall.com/lists/oss-security/2013/02/11/7 MLIST:[oss-security] 20130211 Patch update for [CVE-2013-0269] URL:http://www.openwall.com/lists/oss-security/2013/02/11/8 MLIST:[rubyonrails-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269] URL:https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain MISC:http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection CONFIRM:http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ CONFIRM:http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed CONFIRM:https://puppet.com/security/cve/cve-2013-0269 APPLE:APPLE-SA-2013-10-22-5 URL:http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html REDHAT:RHSA-2013:0686 URL:http://rhn.redhat.com/errata/RHSA-2013-0686.html REDHAT:RHSA-2013:0701 URL:http://rhn.redhat.com/errata/RHSA-2013-0701.html REDHAT:RHSA-2013:1028 URL:http://rhn.redhat.com/errata/RHSA-2013-1028.html REDHAT:RHSA-2013:1147 URL:http://rhn.redhat.com/errata/RHSA-2013-1147.html SLACKWARE:SSA:2013-075-01 URL:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862 SUSE:openSUSE-SU-2013:0603 URL:http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html SUSE:SUSE-SU-2013:0609 URL:http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html SUSE:SUSE-SU-2013:0647 URL:http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html UBUNTU:USN-1733-1 URL:http://www.ubuntu.com/usn/USN-1733-1 BID:57899 URL:http://www.securityfocus.com/bid/57899 OSVDB:90074 URL:http://www.osvdb.org/90074 SECUNIA:52075 URL:http://secunia.com/advisories/52075 SECUNIA:52774 URL:http://secunia.com/advisories/52774 SECUNIA:52902 URL:http://secunia.com/advisories/52902 XF:json-ruby-security-bypass(82010) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/82010
Assigning CNA
N/A
Date Entry Created
20121206	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20121206)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org