Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-0269
Vulnerability from gsd - Updated: 2013-02-12 00:00Details
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0269",
"description": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\"",
"id": "GSD-2013-0269",
"references": [
"https://www.suse.com/security/cve/CVE-2013-0269.html",
"https://access.redhat.com/errata/RHSA-2013:1185",
"https://access.redhat.com/errata/RHSA-2013:1147",
"https://access.redhat.com/errata/RHSA-2013:1028",
"https://access.redhat.com/errata/RHSA-2013:0701",
"https://access.redhat.com/errata/RHSA-2013:0686"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "json",
"purl": "pkg:gem/json"
}
}
],
"aliases": [
"CVE-2013-0269",
"OSVDB-101137"
],
"details": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\"",
"id": "GSD-2013-0269",
"modified": "2013-02-12T00:00:00.000Z",
"published": "2013-02-12T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0269"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 9.0,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0269",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-0686.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"name": "http://secunia.com/advisories/52774",
"refsource": "MISC",
"url": "http://secunia.com/advisories/52774"
},
{
"name": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/",
"refsource": "MISC",
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"name": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html",
"refsource": "MISC",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-1028.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"
},
{
"name": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"
},
{
"name": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"
},
{
"name": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-0701.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-1147.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"
},
{
"name": "http://secunia.com/advisories/52075",
"refsource": "MISC",
"url": "http://secunia.com/advisories/52075"
},
{
"name": "http://secunia.com/advisories/52902",
"refsource": "MISC",
"url": "http://secunia.com/advisories/52902"
},
{
"name": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed",
"refsource": "MISC",
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"name": "http://www.openwall.com/lists/oss-security/2013/02/11/7",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"
},
{
"name": "http://www.openwall.com/lists/oss-security/2013/02/11/8",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"
},
{
"name": "http://www.osvdb.org/90074",
"refsource": "MISC",
"url": "http://www.osvdb.org/90074"
},
{
"name": "http://www.securityfocus.com/bid/57899",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/57899"
},
{
"name": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2013\u0026m=slackware-security.426862",
"refsource": "MISC",
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2013\u0026m=slackware-security.426862"
},
{
"name": "http://www.ubuntu.com/usn/USN-1733-1",
"refsource": "MISC",
"url": "http://www.ubuntu.com/usn/USN-1733-1"
},
{
"name": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection",
"refsource": "MISC",
"url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"
},
{
"name": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source\u0026output=gplain",
"refsource": "MISC",
"url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source\u0026output=gplain"
},
{
"name": "https://puppet.com/security/cve/cve-2013-0269",
"refsource": "MISC",
"url": "https://puppet.com/security/cve/cve-2013-0269"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-0269",
"cvss_v2": 9.0,
"date": "2013-02-12",
"description": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\"",
"gem": "json",
"osvdb": 101137,
"patched_versions": [
"~\u003e 1.5.5",
"~\u003e 1.6.8",
"\u003e= 1.7.7"
],
"title": "CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0269"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.5.5 || \u003e=1.6.0 \u003c1.6.8 || \u003e=1.7.0 \u003c1.7.7",
"affected_versions": "All versions before 1.5.5, all versions starting from 1.6.0 before 1.6.8, all versions starting from 1.7.0 before 1.7.7",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2017-12-08",
"description": "When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The same technique can be used to create objects in a target system that act like internal objects. These \"act alike\" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails.",
"fixed_versions": [
"1.5.5",
"1.6.8",
"1.7.7"
],
"identifier": "CVE-2013-0269",
"identifiers": [
"CVE-2013-0269"
],
"not_impacted": "NONE",
"package_slug": "gem/json",
"pubdate": "2013-02-12",
"solution": "Upgrade, patches and workarounds available (see source)",
"title": "Denial of Service and Unsafe Object Creation Vulnerability",
"urls": [
"https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58"
],
"uuid": "fd4699b1-3c7c-4b66-b4a9-d640990c6764"
},
{
"affected_range": "[1.7.1,1.7.3)",
"affected_versions": "All versions starting from 1.7.1 before 1.7.3",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2017-12-08",
"description": "This package allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka.",
"fixed_versions": [
"1.7.3"
],
"identifier": "CVE-2013-0269",
"identifiers": [
"CVE-2013-0269"
],
"package_slug": "maven/org.jruby/jruby",
"pubdate": "2013-02-12",
"solution": "Upgrade to version 1.7.3 or above.",
"title": "Denial of Service and SQL Injection",
"urls": [
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0269"
],
"uuid": "dbe17325-e976-41dc-b8df-fb185e139033"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.7.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.7.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.7.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.6.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.6.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.7.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.7.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.7.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.6.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.6.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.6.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.6.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:json_gem:1.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0269"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection",
"refsource": "MISC",
"tags": [],
"url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"
},
{
"name": "[oss-security] 20130211 Patch update for [CVE-2013-0269]",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"
},
{
"name": "90074",
"refsource": "OSVDB",
"tags": [],
"url": "http://www.osvdb.org/90074"
},
{
"name": "57899",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/57899"
},
{
"name": "52075",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52075"
},
{
"name": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"name": "[oss-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"
},
{
"name": "USN-1733-1",
"refsource": "UBUNTU",
"tags": [],
"url": "http://www.ubuntu.com/usn/USN-1733-1"
},
{
"name": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed",
"refsource": "CONFIRM",
"tags": [],
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"name": "[rubyonrails-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]",
"refsource": "MLIST",
"tags": [],
"url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source\u0026output=gplain"
},
{
"name": "52774",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/52774"
},
{
"name": "RHSA-2013:0686",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"name": "52902",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/52902"
},
{
"name": "openSUSE-SU-2013:0603",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"
},
{
"name": "RHSA-2013:0701",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"
},
{
"name": "SUSE-SU-2013:0609",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"
},
{
"name": "SUSE-SU-2013:0647",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"
},
{
"name": "RHSA-2013:1028",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"
},
{
"name": "RHSA-2013:1147",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"
},
{
"name": "APPLE-SA-2013-10-22-5",
"refsource": "APPLE",
"tags": [],
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"name": "SSA:2013-075-01",
"refsource": "SLACKWARE",
"tags": [],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2013\u0026m=slackware-security.426862"
},
{
"name": "json-ruby-security-bypass(82010)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"
},
{
"name": "https://puppet.com/security/cve/cve-2013-0269",
"refsource": "CONFIRM",
"tags": [],
"url": "https://puppet.com/security/cve/cve-2013-0269"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-12-09T02:29Z",
"publishedDate": "2013-02-13T01:55Z"
}
}
}