CVE-2013-0156
Description
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-0156
Vendor advisory: secalert@redhat.com — http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
Exploits
Exploit-DB
Metasploit modules
- exploit_multi/http/rails_secret_deserialization · rank 600 · Ruby on Rails Known Secret Session Cookie Remote Code Execution
- exploit_multi/http/rails_xml_yaml_code_exec · rank 600 · Ruby on Rails XML Processor YAML Deserialization Code Execution
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | 6.0 | affected | |
| debian | 7.0 | affected | |
| debian | bookworm | fixed | 2.3.14.1 |
| debian | bullseye | fixed | 2.3.14.1 |
| debian | forky | fixed | 2.3.14.1 |
| debian | sid | fixed | 2.3.14.1 |
| debian | trixie | fixed | 2.3.14.1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | actionpack | <~> 2.3.15 | ~> 2.3.15 |
| RubyGems | actionpack | <2.3.15 | 2.3.15 |
| RubyGems | actionpack | >=3.0.0,<3.0.19 | 3.0.19 |
| RubyGems | actionpack | >=3.1.0,<3.1.10 | 3.1.10 |
| RubyGems | actionpack | >=3.2.0,<3.2.11 | 3.2.11 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| rubyonrails | rails | {"startIncluding":"3.2.0","endExcluding":"3.2.11"} | 3.2.11 |
| rubyonrails | ruby_on_rails | {"endExcluding":"2.3.15"} | 2.3.15 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2013-0156
- http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
- http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2013-0153.html
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
- http://rhn.redhat.com/errata/RHSA-2013-0155.html
- http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
- http://www.debian.org/security/2013/dsa-2604
- http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
- http://www.insinuator.net/2013/01/rails-yaml/
- http://www.kb.cert.org/vuls/id/380039
- http://www.kb.cert.org/vuls/id/628463
- https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
- https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
- https://puppet.com/security/cve/cve-2013-0156
- https://github.com/rails/rails
- https://web.archive.org/web/20140111025708/http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- https://web.archive.org/web/20160415043747/https://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
- https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156
- http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
- http://www.insinuator.net/2013/01/rails-yaml
- https://security-tracker.debian.org/tracker/CVE-2013-0156
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.