Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2013-0333 (GCVE-0-2013-0333)
Vulnerability from cvelistv5
Published
2013-01-30 11:00
Modified
2024-08-06 14:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:25:09.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#628463",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"name": "DSA-2613",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2013/dsa-2613"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://support.apple.com/kb/HT5784"
},
{
"name": "APPLE-SA-2013-06-04-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"name": "APPLE-SA-2013-03-14-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"name": "[rubyonrails-security] 20130129 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
},
{
"name": "RHSA-2013:0201",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
},
{
"name": "RHSA-2013:0202",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://puppet.com/security/cve/cve-2013-0333"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"name": "RHSA-2013:0203",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-01-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-08T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "VU#628463",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"name": "DSA-2613",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2013/dsa-2613"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://support.apple.com/kb/HT5784"
},
{
"name": "APPLE-SA-2013-06-04-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"name": "APPLE-SA-2013-03-14-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"name": "[rubyonrails-security] 20130129 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
},
{
"name": "RHSA-2013:0201",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
},
{
"name": "RHSA-2013:0202",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://puppet.com/security/cve/cve-2013-0333"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"name": "RHSA-2013:0203",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0333",
"datePublished": "2013-01-30T11:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:25:09.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2013-0333\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-01-30T12:00:08.930\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.\"},{\"lang\":\"es\",\"value\":\"lib/active_support/json/backends/yaml.rb en Ruby on Rails v2.3.x anterior a v2.3.16 y v3.0.x anterior a v3.0.20 no convierte correctamente los datos de tipo JSON a datos YAML para el procesamiento por el analizador YAML, lo cual permite a atacantes remotos ejecutar c\u00f3digo arbitrario, conducir ataques de inyecci\u00f3n SQL, o saltare la autentificaci\u00f3n a trav\u00e9s de la modificaci\u00f3n de datos que disparan una descodificaci\u00f3n insegura, esta vulnerabilidad es diferente a CVE-2013-0156.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E2DF384-3992-43BF-8A5C-65FA53E9A77C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1467583-23E9-4E2B-982D-80A356174BB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DC784C0-5618-4C32-8C17-BE7041656E14\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B38EAA4-E948-45A7-B6E5-7214F2B545E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6ECC8C49-5A46-4D23-81F9-8243F5D508DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"312848C5-BA35-4A48-B66D-195A5E1CD00F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B7453BE5-91C8-42B2-9F75-FFE4038F29A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2FD44EB-E899-4FA8-985E-44B75134DDC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3BE7DFE-BA20-434B-A1DE-AD038B255C60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*\",\"matchCriteriaId\":\"DCEE5B21-C990-4705-8239-0D7B29DAEDA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"65EE33B1-B079-4CDE-B9C2-F1613A4610DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CAAA20B-824F-4448-99DC-9712FE628073\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2BEBDFB-0F30-454A-B74C-F820C9D2708B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D7CD8C1-95D1-477E-AD96-6582EC33BA01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"B6F00D98-3D0F-40AF-AE4F-090B1E6B660C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9476CE55-69C0-45D3-B723-6F459C90BF05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*\",\"matchCriteriaId\":\"486F5BA6-BCF7-4691-9754-19D364B4438D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"112FC73B-A8BC-4EEA-9F4B-CCE685EF2838\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4498383-6FCA-4E17-A1FD-B0CE7EE50F85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D26565B1-2BA6-4A3C-9264-7FC9A1820B59\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"392E2D58-CB39-4832-B4D9-9C2E23B8E14C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F2466EA-7039-46A1-B4A3-8DACD1953A59\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0CAB4E72-0A15-4B26-9B69-074C278568D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A085E105-9375-440A-80CB-9B23E6D7EB4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"25911E48-C5D7-4ED8-B4DB-7523A74CCF49\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B29674E3-CC80-446B-9A43-82594AE7A058\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF34D8CB-2B6D-4CB8-A206-108293BCFFE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"272268EE-E3E8-4683-B679-55D748877A7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B69FD33-61FE-4F10-BBE1-215F59035D30\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"08D7CB5D-82EF-4A24-A792-938FAB40863D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A044B21-47D5-468D-AF4A-06B3B5CC0824\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2196F3D0-532A-40F9-843A-1DFBC8B63FDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBEDA932-6CB5-438C-94E4-824732A91BE0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"903E5524-5E45-48CE-A804-EDAEBE3A79AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"08534AF2-F94E-4FB6-A572-4FB9827276D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"29E3B4A6-1346-4358-B7BC-84D00ED3ABBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B52D7A6B-DD93-45F0-9186-18ABEFF28DF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F07C641-48DF-43BE-9EB5-72B337C54846\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1CB1B12-99F5-430F-AE19-9A95C17FA123\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"05D5D58C-DB79-41EA-81AE-5D95C48211B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE331D6D-99BA-4369-AD8B-B556DEE4955F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"58304E17-ADFD-4686-9CCF-C1CA31843B94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"05108EF0-81AD-4378-9843-5C23F2AC79A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C448F62-8231-4221-ADA0-C9B848AE03D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60255706-C44A-48CB-B98B-A1F0991CBC74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0456E2E8-EF06-414E-8A7D-8005F0EB46B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"224BD488-0D7E-4F8B-9012-DE872DEB544C\"}]}]}],\"references\":[{\"url\":\"http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0201.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0202.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0203.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://support.apple.com/kb/HT5784\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.debian.org/security/2013/dsa-2613\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.kb.cert.org/vuls/id/628463\",\"source\":\"secalert@redhat.com\",\"tags\":[\"US Government Resource\"]},{\"url\":\"https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://puppet.com/security/cve/cve-2013-0333\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0201.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0202.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0203.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://support.apple.com/kb/HT5784\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2013/dsa-2613\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.kb.cert.org/vuls/id/628463\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]},{\"url\":\"https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://puppet.com/security/cve/cve-2013-0333\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
rhsa-2013:0203
Vulnerability from csaf_redhat
Published
2013-01-29 05:00
Modified
2025-10-09 14:18
Summary
Red Hat Security Advisory: rubygem-activesupport security update
Notes
Topic
An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat CloudForms.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)
Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.
Users of Red Hat CloudForms are advised to upgrade to this updated package,
which resolves this issue. Users of CloudForms Cloud Engine must run
"aeolus-services restart" and users of CloudForms System Engine must run
"katello-service restart" for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat CloudForms.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nUsers of Red Hat CloudForms are advised to upgrade to this updated package,\nwhich resolves this issue. Users of CloudForms Cloud Engine must run\n\"aeolus-services restart\" and users of CloudForms System Engine must run\n\"katello-service restart\" for this update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0203",
"url": "https://access.redhat.com/errata/RHSA-2013:0203"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0203.json"
}
],
"title": "Red Hat Security Advisory: rubygem-activesupport security update",
"tracking": {
"current_release_date": "2025-10-09T14:18:55+00:00",
"generator": {
"date": "2025-10-09T14:18:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2013:0203",
"initial_release_date": "2013-01-29T05:00:00+00:00",
"revision_history": [
{
"date": "2013-01-29T05:00:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-01-29T05:07:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T14:18:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Cloud Engine for RHEL 6 Server",
"product": {
"name": "CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine",
"product_identification_helper": {
"cpe": "cpe:/a:cloudforms_cloudengine:1::el6"
}
}
},
{
"category": "product_name",
"name": "CloudForms System Engine for RHEL 6 Server",
"product": {
"name": "CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine",
"product_identification_helper": {
"cpe": "cpe:/a:cloudforms_systemengine:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"product": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"product_id": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-9.el6cf?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-all@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-glue-candlepin@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-api-docs@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-glue-pulp@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-common@1.1.12.1-1.el6cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"product": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"product_id": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-9.el6cf?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "katello-0:1.1.12.1-1.el6cf.src",
"product": {
"name": "katello-0:1.1.12.1-1.el6cf.src",
"product_id": "katello-0:1.1.12.1-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello@1.1.12.1-1.el6cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-0:1.1.12.1-1.el6cf.src as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src"
},
"product_reference": "katello-0:1.1.12.1-1.el6cf.src",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-all-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-common-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"relates_to_product_reference": "6Server-SystemEngine"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Lawrence Pit"
],
"organization": "Mirror42",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-0333",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "903440"
}
],
"notes": [
{
"category": "description",
"text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activesupport: json to yaml parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
"6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"category": "external",
"summary": "RHBZ#903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
}
],
"release_date": "2013-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-01-29T05:00:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
"6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0203"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
"6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "rubygem-activesupport: json to yaml parsing"
}
]
}
rhsa-2013:0202
Vulnerability from csaf_redhat
Published
2013-01-28 23:10
Modified
2025-10-09 14:18
Summary
Red Hat Security Advisory: rubygem-activesupport security update
Notes
Topic
An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat OpenShift Enterprise 1.0.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)
Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.
All users of Red Hat OpenShift Enterprise are advised to upgrade to this
updated package, which resolves this issue. For Red Hat OpenShift
Enterprise administrators, the openshift-broker and openshift-console
services must be restarted for this update to take effect. Users of
OpenShift are advised to update their own applications that are running
Ruby on Rails.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat OpenShift Enterprise 1.0.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nAll users of Red Hat OpenShift Enterprise are advised to upgrade to this\nupdated package, which resolves this issue. For Red Hat OpenShift\nEnterprise administrators, the openshift-broker and openshift-console\nservices must be restarted for this update to take effect. Users of\nOpenShift are advised to update their own applications that are running\nRuby on Rails.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0202",
"url": "https://access.redhat.com/errata/RHSA-2013:0202"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0202.json"
}
],
"title": "Red Hat Security Advisory: rubygem-activesupport security update",
"tracking": {
"current_release_date": "2025-10-09T14:18:55+00:00",
"generator": {
"date": "2025-10-09T14:18:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2013:0202",
"initial_release_date": "2013-01-28T23:10:00+00:00",
"revision_history": [
{
"date": "2013-01-28T23:10:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-01-28T23:13:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T14:18:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise Infrastructure",
"product": {
"name": "Red Hat OpenShift Enterprise Infrastructure",
"product_id": "6Server-RHOSE-INFRA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:1::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise Node",
"product": {
"name": "Red Hat OpenShift Enterprise Node",
"product_id": "6Server-RHOSE-NODE",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"product": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"product_id": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.13-4.el6op?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"product": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"product_id": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.13-4.el6op?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch as a component of Red Hat OpenShift Enterprise Infrastructure",
"product_id": "6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"relates_to_product_reference": "6Server-RHOSE-INFRA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src as a component of Red Hat OpenShift Enterprise Infrastructure",
"product_id": "6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"relates_to_product_reference": "6Server-RHOSE-INFRA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch as a component of Red Hat OpenShift Enterprise Node",
"product_id": "6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"relates_to_product_reference": "6Server-RHOSE-NODE"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src as a component of Red Hat OpenShift Enterprise Node",
"product_id": "6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"relates_to_product_reference": "6Server-RHOSE-NODE"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Lawrence Pit"
],
"organization": "Mirror42",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-0333",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "903440"
}
],
"notes": [
{
"category": "description",
"text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activesupport: json to yaml parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"category": "external",
"summary": "RHBZ#903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
}
],
"release_date": "2013-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-01-28T23:10:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0202"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "rubygem-activesupport: json to yaml parsing"
}
]
}
rhsa-2013:0201
Vulnerability from csaf_redhat
Published
2013-01-28 23:07
Modified
2025-10-09 14:18
Summary
Red Hat Security Advisory: rubygem-activesupport security update
Notes
Topic
An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat Subscription Asset Manager.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)
Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.
Users of Red Hat Subscription Asset Manager are advised to upgrade to this
updated package, which resolves this issue. Katello must be restarted
("service katello restart") for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat Subscription Asset Manager.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nUsers of Red Hat Subscription Asset Manager are advised to upgrade to this\nupdated package, which resolves this issue. Katello must be restarted\n(\"service katello restart\") for this update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0201",
"url": "https://access.redhat.com/errata/RHSA-2013:0201"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0201.json"
}
],
"title": "Red Hat Security Advisory: rubygem-activesupport security update",
"tracking": {
"current_release_date": "2025-10-09T14:18:54+00:00",
"generator": {
"date": "2025-10-09T14:18:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2013:0201",
"initial_release_date": "2013-01-28T23:07:00+00:00",
"revision_history": [
{
"date": "2013-01-28T23:07:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-01-28T23:13:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T14:18:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
"product": {
"name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager11",
"product_identification_helper": {
"cpe": "cpe:/a:rhel_sam:1.1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Subscription Asset Manager"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"product": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"product_id": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-7.el6cf?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"product": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"product_id": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-7.el6cf?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
},
"product_reference": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager11"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Lawrence Pit"
],
"organization": "Mirror42",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-0333",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "903440"
}
],
"notes": [
{
"category": "description",
"text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activesupport: json to yaml parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"category": "external",
"summary": "RHBZ#903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
}
],
"release_date": "2013-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-01-28T23:07:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0201"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "rubygem-activesupport: json to yaml parsing"
}
]
}
rhsa-2013_0202
Vulnerability from csaf_redhat
Published
2013-01-28 23:10
Modified
2024-11-22 06:09
Summary
Red Hat Security Advisory: rubygem-activesupport security update
Notes
Topic
An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat OpenShift Enterprise 1.0.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)
Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.
All users of Red Hat OpenShift Enterprise are advised to upgrade to this
updated package, which resolves this issue. For Red Hat OpenShift
Enterprise administrators, the openshift-broker and openshift-console
services must be restarted for this update to take effect. Users of
OpenShift are advised to update their own applications that are running
Ruby on Rails.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat OpenShift Enterprise 1.0.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nAll users of Red Hat OpenShift Enterprise are advised to upgrade to this\nupdated package, which resolves this issue. For Red Hat OpenShift\nEnterprise administrators, the openshift-broker and openshift-console\nservices must be restarted for this update to take effect. Users of\nOpenShift are advised to update their own applications that are running\nRuby on Rails.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0202",
"url": "https://access.redhat.com/errata/RHSA-2013:0202"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0202.json"
}
],
"title": "Red Hat Security Advisory: rubygem-activesupport security update",
"tracking": {
"current_release_date": "2024-11-22T06:09:28+00:00",
"generator": {
"date": "2024-11-22T06:09:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:0202",
"initial_release_date": "2013-01-28T23:10:00+00:00",
"revision_history": [
{
"date": "2013-01-28T23:10:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-01-28T23:13:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:09:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise Infrastructure",
"product": {
"name": "Red Hat OpenShift Enterprise Infrastructure",
"product_id": "6Server-RHOSE-INFRA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:1::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise Node",
"product": {
"name": "Red Hat OpenShift Enterprise Node",
"product_id": "6Server-RHOSE-NODE",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"product": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"product_id": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.13-4.el6op?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"product": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"product_id": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.13-4.el6op?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch as a component of Red Hat OpenShift Enterprise Infrastructure",
"product_id": "6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"relates_to_product_reference": "6Server-RHOSE-INFRA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src as a component of Red Hat OpenShift Enterprise Infrastructure",
"product_id": "6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"relates_to_product_reference": "6Server-RHOSE-INFRA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch as a component of Red Hat OpenShift Enterprise Node",
"product_id": "6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"relates_to_product_reference": "6Server-RHOSE-NODE"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src as a component of Red Hat OpenShift Enterprise Node",
"product_id": "6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"relates_to_product_reference": "6Server-RHOSE-NODE"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Lawrence Pit"
],
"organization": "Mirror42",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-0333",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "903440"
}
],
"notes": [
{
"category": "description",
"text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activesupport: json to yaml parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"category": "external",
"summary": "RHBZ#903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
}
],
"release_date": "2013-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-01-28T23:10:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0202"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "rubygem-activesupport: json to yaml parsing"
}
]
}
RHSA-2013:0201
Vulnerability from csaf_redhat
Published
2013-01-28 23:07
Modified
2025-10-09 14:18
Summary
Red Hat Security Advisory: rubygem-activesupport security update
Notes
Topic
An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat Subscription Asset Manager.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)
Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.
Users of Red Hat Subscription Asset Manager are advised to upgrade to this
updated package, which resolves this issue. Katello must be restarted
("service katello restart") for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat Subscription Asset Manager.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nUsers of Red Hat Subscription Asset Manager are advised to upgrade to this\nupdated package, which resolves this issue. Katello must be restarted\n(\"service katello restart\") for this update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0201",
"url": "https://access.redhat.com/errata/RHSA-2013:0201"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0201.json"
}
],
"title": "Red Hat Security Advisory: rubygem-activesupport security update",
"tracking": {
"current_release_date": "2025-10-09T14:18:54+00:00",
"generator": {
"date": "2025-10-09T14:18:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2013:0201",
"initial_release_date": "2013-01-28T23:07:00+00:00",
"revision_history": [
{
"date": "2013-01-28T23:07:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-01-28T23:13:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T14:18:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
"product": {
"name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager11",
"product_identification_helper": {
"cpe": "cpe:/a:rhel_sam:1.1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Subscription Asset Manager"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"product": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"product_id": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-7.el6cf?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"product": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"product_id": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-7.el6cf?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
},
"product_reference": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager11"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Lawrence Pit"
],
"organization": "Mirror42",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-0333",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "903440"
}
],
"notes": [
{
"category": "description",
"text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activesupport: json to yaml parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"category": "external",
"summary": "RHBZ#903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
}
],
"release_date": "2013-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-01-28T23:07:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0201"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "rubygem-activesupport: json to yaml parsing"
}
]
}
rhsa-2013_0203
Vulnerability from csaf_redhat
Published
2013-01-29 05:00
Modified
2024-11-22 06:09
Summary
Red Hat Security Advisory: rubygem-activesupport security update
Notes
Topic
An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat CloudForms.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)
Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.
Users of Red Hat CloudForms are advised to upgrade to this updated package,
which resolves this issue. Users of CloudForms Cloud Engine must run
"aeolus-services restart" and users of CloudForms System Engine must run
"katello-service restart" for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat CloudForms.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nUsers of Red Hat CloudForms are advised to upgrade to this updated package,\nwhich resolves this issue. Users of CloudForms Cloud Engine must run\n\"aeolus-services restart\" and users of CloudForms System Engine must run\n\"katello-service restart\" for this update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0203",
"url": "https://access.redhat.com/errata/RHSA-2013:0203"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0203.json"
}
],
"title": "Red Hat Security Advisory: rubygem-activesupport security update",
"tracking": {
"current_release_date": "2024-11-22T06:09:33+00:00",
"generator": {
"date": "2024-11-22T06:09:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:0203",
"initial_release_date": "2013-01-29T05:00:00+00:00",
"revision_history": [
{
"date": "2013-01-29T05:00:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-01-29T05:07:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:09:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Cloud Engine for RHEL 6 Server",
"product": {
"name": "CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine",
"product_identification_helper": {
"cpe": "cpe:/a:cloudforms_cloudengine:1::el6"
}
}
},
{
"category": "product_name",
"name": "CloudForms System Engine for RHEL 6 Server",
"product": {
"name": "CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine",
"product_identification_helper": {
"cpe": "cpe:/a:cloudforms_systemengine:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"product": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"product_id": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-9.el6cf?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-all@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-glue-candlepin@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-api-docs@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-glue-pulp@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-common@1.1.12.1-1.el6cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"product": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"product_id": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-9.el6cf?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "katello-0:1.1.12.1-1.el6cf.src",
"product": {
"name": "katello-0:1.1.12.1-1.el6cf.src",
"product_id": "katello-0:1.1.12.1-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello@1.1.12.1-1.el6cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-0:1.1.12.1-1.el6cf.src as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src"
},
"product_reference": "katello-0:1.1.12.1-1.el6cf.src",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-all-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-common-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"relates_to_product_reference": "6Server-SystemEngine"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Lawrence Pit"
],
"organization": "Mirror42",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-0333",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "903440"
}
],
"notes": [
{
"category": "description",
"text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activesupport: json to yaml parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
"6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"category": "external",
"summary": "RHBZ#903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
}
],
"release_date": "2013-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-01-29T05:00:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
"6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0203"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
"6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "rubygem-activesupport: json to yaml parsing"
}
]
}
RHSA-2013:0203
Vulnerability from csaf_redhat
Published
2013-01-29 05:00
Modified
2025-10-09 14:18
Summary
Red Hat Security Advisory: rubygem-activesupport security update
Notes
Topic
An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat CloudForms.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)
Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.
Users of Red Hat CloudForms are advised to upgrade to this updated package,
which resolves this issue. Users of CloudForms Cloud Engine must run
"aeolus-services restart" and users of CloudForms System Engine must run
"katello-service restart" for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat CloudForms.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nUsers of Red Hat CloudForms are advised to upgrade to this updated package,\nwhich resolves this issue. Users of CloudForms Cloud Engine must run\n\"aeolus-services restart\" and users of CloudForms System Engine must run\n\"katello-service restart\" for this update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0203",
"url": "https://access.redhat.com/errata/RHSA-2013:0203"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0203.json"
}
],
"title": "Red Hat Security Advisory: rubygem-activesupport security update",
"tracking": {
"current_release_date": "2025-10-09T14:18:55+00:00",
"generator": {
"date": "2025-10-09T14:18:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2013:0203",
"initial_release_date": "2013-01-29T05:00:00+00:00",
"revision_history": [
{
"date": "2013-01-29T05:00:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-01-29T05:07:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T14:18:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Cloud Engine for RHEL 6 Server",
"product": {
"name": "CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine",
"product_identification_helper": {
"cpe": "cpe:/a:cloudforms_cloudengine:1::el6"
}
}
},
{
"category": "product_name",
"name": "CloudForms System Engine for RHEL 6 Server",
"product": {
"name": "CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine",
"product_identification_helper": {
"cpe": "cpe:/a:cloudforms_systemengine:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"product": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"product_id": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-9.el6cf?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-all@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-glue-candlepin@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-api-docs@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-glue-pulp@1.1.12.1-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"product": {
"name": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"product_id": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-common@1.1.12.1-1.el6cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"product": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"product_id": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-9.el6cf?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "katello-0:1.1.12.1-1.el6cf.src",
"product": {
"name": "katello-0:1.1.12.1-1.el6cf.src",
"product_id": "katello-0:1.1.12.1-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello@1.1.12.1-1.el6cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-0:1.1.12.1-1.el6cf.src as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src"
},
"product_reference": "katello-0:1.1.12.1-1.el6cf.src",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-all-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-all-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-common-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-common-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch"
},
"product_reference": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"relates_to_product_reference": "6Server-SystemEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-9.el6cf.src as a component of CloudForms System Engine for RHEL 6 Server",
"product_id": "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
},
"product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
"relates_to_product_reference": "6Server-SystemEngine"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Lawrence Pit"
],
"organization": "Mirror42",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-0333",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "903440"
}
],
"notes": [
{
"category": "description",
"text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activesupport: json to yaml parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
"6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"category": "external",
"summary": "RHBZ#903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
}
],
"release_date": "2013-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-01-29T05:00:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
"6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0203"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
"6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
"6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "rubygem-activesupport: json to yaml parsing"
}
]
}
rhsa-2013_0201
Vulnerability from csaf_redhat
Published
2013-01-28 23:07
Modified
2024-11-22 06:09
Summary
Red Hat Security Advisory: rubygem-activesupport security update
Notes
Topic
An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat Subscription Asset Manager.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)
Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.
Users of Red Hat Subscription Asset Manager are advised to upgrade to this
updated package, which resolves this issue. Katello must be restarted
("service katello restart") for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat Subscription Asset Manager.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nUsers of Red Hat Subscription Asset Manager are advised to upgrade to this\nupdated package, which resolves this issue. Katello must be restarted\n(\"service katello restart\") for this update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0201",
"url": "https://access.redhat.com/errata/RHSA-2013:0201"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0201.json"
}
],
"title": "Red Hat Security Advisory: rubygem-activesupport security update",
"tracking": {
"current_release_date": "2024-11-22T06:09:23+00:00",
"generator": {
"date": "2024-11-22T06:09:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:0201",
"initial_release_date": "2013-01-28T23:07:00+00:00",
"revision_history": [
{
"date": "2013-01-28T23:07:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-01-28T23:13:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:09:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
"product": {
"name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager11",
"product_identification_helper": {
"cpe": "cpe:/a:rhel_sam:1.1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Subscription Asset Manager"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"product": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"product_id": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-7.el6cf?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"product": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"product_id": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-7.el6cf?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.10-7.el6cf.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
},
"product_reference": "rubygem-activesupport-1:3.0.10-7.el6cf.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager11"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Lawrence Pit"
],
"organization": "Mirror42",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-0333",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "903440"
}
],
"notes": [
{
"category": "description",
"text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activesupport: json to yaml parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"category": "external",
"summary": "RHBZ#903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
}
],
"release_date": "2013-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-01-28T23:07:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0201"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.noarch",
"6Server-SubscriptionAssetManager11:rubygem-activesupport-1:3.0.10-7.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "rubygem-activesupport: json to yaml parsing"
}
]
}
RHSA-2013:0202
Vulnerability from csaf_redhat
Published
2013-01-28 23:10
Modified
2025-10-09 14:18
Summary
Red Hat Security Advisory: rubygem-activesupport security update
Notes
Topic
An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat OpenShift Enterprise 1.0.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)
Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.
All users of Red Hat OpenShift Enterprise are advised to upgrade to this
updated package, which resolves this issue. For Red Hat OpenShift
Enterprise administrators, the openshift-broker and openshift-console
services must be restarted for this update to take effect. Users of
OpenShift are advised to update their own applications that are running
Ruby on Rails.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat OpenShift Enterprise 1.0.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nAll users of Red Hat OpenShift Enterprise are advised to upgrade to this\nupdated package, which resolves this issue. For Red Hat OpenShift\nEnterprise administrators, the openshift-broker and openshift-console\nservices must be restarted for this update to take effect. Users of\nOpenShift are advised to update their own applications that are running\nRuby on Rails.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0202",
"url": "https://access.redhat.com/errata/RHSA-2013:0202"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0202.json"
}
],
"title": "Red Hat Security Advisory: rubygem-activesupport security update",
"tracking": {
"current_release_date": "2025-10-09T14:18:55+00:00",
"generator": {
"date": "2025-10-09T14:18:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2013:0202",
"initial_release_date": "2013-01-28T23:10:00+00:00",
"revision_history": [
{
"date": "2013-01-28T23:10:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-01-28T23:13:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T14:18:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise Infrastructure",
"product": {
"name": "Red Hat OpenShift Enterprise Infrastructure",
"product_id": "6Server-RHOSE-INFRA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:1::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise Node",
"product": {
"name": "Red Hat OpenShift Enterprise Node",
"product_id": "6Server-RHOSE-NODE",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"product": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"product_id": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.13-4.el6op?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"product": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"product_id": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.13-4.el6op?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch as a component of Red Hat OpenShift Enterprise Infrastructure",
"product_id": "6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"relates_to_product_reference": "6Server-RHOSE-INFRA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src as a component of Red Hat OpenShift Enterprise Infrastructure",
"product_id": "6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"relates_to_product_reference": "6Server-RHOSE-INFRA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.noarch as a component of Red Hat OpenShift Enterprise Node",
"product_id": "6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"relates_to_product_reference": "6Server-RHOSE-NODE"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rubygem-activesupport-1:3.0.13-4.el6op.src as a component of Red Hat OpenShift Enterprise Node",
"product_id": "6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
},
"product_reference": "rubygem-activesupport-1:3.0.13-4.el6op.src",
"relates_to_product_reference": "6Server-RHOSE-NODE"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Lawrence Pit"
],
"organization": "Mirror42",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-0333",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "903440"
}
],
"notes": [
{
"category": "description",
"text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activesupport: json to yaml parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"category": "external",
"summary": "RHBZ#903440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
}
],
"release_date": "2013-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-01-28T23:10:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0202"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-INFRA:rubygem-activesupport-1:3.0.13-4.el6op.src",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.noarch",
"6Server-RHOSE-NODE:rubygem-activesupport-1:3.0.13-4.el6op.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "rubygem-activesupport: json to yaml parsing"
}
]
}
CERTA-2013-AVI-097
Vulnerability from certfr_avis
De multiples vulnérabilités ont été corrigées dans Apple OS X Server. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance. Elles concernent le composant "Ruby on Rails".
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Apple OS X Server versions antérieures à 2.2.1
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cP\u003eApple OS X Server versions ant\u00e9rieures \u00e0 2.2.1\u003c/P\u003e",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-0156",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0156"
},
{
"name": "CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
}
],
"initial_release_date": "2013-02-06T00:00:00",
"last_revision_date": "2013-02-06T00:00:00",
"links": [],
"reference": "CERTA-2013-AVI-097",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-02-06T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eApple OS X Server\u003c/span\u003e. Elles permettent \u00e0 un attaquant\nde provoquer une ex\u00e9cution de code arbitraire \u00e0 distance. Elles\nconcernent le composant \"Ruby on Rails\".\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple OS X Server",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT5644 du 04 f\u00e9vrier 2013",
"url": "http://support.apple.com/kb/HT5644"
}
]
}
CERTA-2013-AVI-187
Vulnerability from certfr_avis
De multiples vulnérabilités ont été corrigées dans Apple OS X Mountain Lion. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Versions antérieures à OS X Mountain Lion v10.8.3
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cP\u003eVersions ant\u00e9rieures \u00e0 OS X Mountain Lion v10.8.3\u003c/P\u003e",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-0976",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0976"
},
{
"name": "CVE-2013-0971",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0971"
},
{
"name": "CVE-2013-0969",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0969"
},
{
"name": "CVE-2013-0156",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0156"
},
{
"name": "CVE-2012-2088",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2088"
},
{
"name": "CVE-2012-3756",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3756"
},
{
"name": "CVE-2013-0963",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0963"
},
{
"name": "CVE-2012-3488",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3488"
},
{
"name": "CVE-2012-3749",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3749"
},
{
"name": "CVE-2011-3058",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3058"
},
{
"name": "CVE-2013-0970",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0970"
},
{
"name": "CVE-2013-0973",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0973"
},
{
"name": "CVE-2012-3489",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3489"
},
{
"name": "CVE-2012-3525",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3525"
},
{
"name": "CVE-2013-0967",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0967"
},
{
"name": "CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"name": "CVE-2013-0966",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0966"
}
],
"initial_release_date": "2013-03-18T00:00:00",
"last_revision_date": "2013-03-18T00:00:00",
"links": [],
"reference": "CERTA-2013-AVI-187",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-03-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eApple OS X Mountain Lion\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9 et une atteinte\n\u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple OS X Mountain Lion",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT5672 du 14 mars 2013",
"url": "http://support.apple.com/kb/HT5672"
}
]
}
CERTA-2013-AVI-074
Vulnerability from certfr_avis
Une vulnérabilité a été corrigée dans Ruby On Rails. Elle concerne la partie JSON et peut mener un utilisateur malintentionné à exécuter du code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Versions antérieures à Ruby On Rails 3.0.20 (pour la branche 3.0) | ||
| Ruby on Rails | Ruby on Rails | versions antérieures à Ruby On Rails 2.3.16 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Versions ant\u00e9rieures \u00e0 Ruby On Rails 3.0.20 (pour la branche 3.0)",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "versions ant\u00e9rieures \u00e0 Ruby On Rails 2.3.16",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
}
],
"initial_release_date": "2013-01-30T00:00:00",
"last_revision_date": "2013-01-30T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 28 janvier 2013 :",
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
}
],
"reference": "CERTA-2013-AVI-074",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-01-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 corrig\u00e9e dans \u003cspan class=\"textit\"\u003eRuby On\nRails\u003c/span\u003e. Elle concerne la partie JSON et peut mener un utilisateur\nmalintentionn\u00e9 \u00e0 ex\u00e9cuter du code arbitraire \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby On Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby On Rails du 28 janvier 2013",
"url": null
}
]
}
CERTA-2013-AVI-204
Vulnerability from certfr_avis
De multiples vulnérabilités ont été corrigées dans Google Chrome. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Google Chrome versions antérieures à 26.0.1410.43
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cP\u003eGoogle Chrome versions ant\u00e9rieures \u00e0 26.0.1410.43\u003c/P\u003e",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-0976",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0976"
},
{
"name": "CVE-2013-0971",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0971"
},
{
"name": "CVE-2013-0969",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0969"
},
{
"name": "CVE-2013-0156",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0156"
},
{
"name": "CVE-2012-2088",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2088"
},
{
"name": "CVE-2012-3756",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3756"
},
{
"name": "CVE-2013-0963",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0963"
},
{
"name": "CVE-2012-3488",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3488"
},
{
"name": "CVE-2012-3749",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3749"
},
{
"name": "CVE-2011-3058",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3058"
},
{
"name": "CVE-2013-0970",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0970"
},
{
"name": "CVE-2013-0973",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0973"
},
{
"name": "CVE-2012-3489",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3489"
},
{
"name": "CVE-2012-3525",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3525"
},
{
"name": "CVE-2013-0967",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0967"
},
{
"name": "CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"name": "CVE-2013-0966",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0966"
}
],
"initial_release_date": "2013-03-27T00:00:00",
"last_revision_date": "2013-03-27T00:00:00",
"links": [],
"reference": "CERTA-2013-AVI-204",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-03-27T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eGoogle Chrome\u003c/span\u003e. Certaines d\u0027entre elles permettent\n\u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance,\nun d\u00e9ni de service \u00e0 distance et un contournement de la politique de\ns\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Google Chrome",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Google du 26 mars 2013",
"url": "http://googlechromereleases.blogspot.fr/2013/03/stable-channel-update_26.html"
}
]
}
CERTA-2013-AVI-340
Vulnerability from certfr_avis
De multiples vulnérabilités ont été corrigées dans Apple OS X. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Versions antérieures à OS X Mountain Lion 10.8.4
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cP\u003eVersions ant\u00e9rieures \u00e0 OS X Mountain Lion 10.8.4\u003c/P\u003e",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-0982",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0982"
},
{
"name": "CVE-2012-0050",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0050"
},
{
"name": "CVE-2013-0984",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0984"
},
{
"name": "CVE-2013-0277",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0277"
},
{
"name": "CVE-2013-1856",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1856"
},
{
"name": "CVE-2011-3210",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3210"
},
{
"name": "CVE-2013-1855",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1855"
},
{
"name": "CVE-2013-0276",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0276"
},
{
"name": "CVE-2011-4619",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4619"
},
{
"name": "CVE-2013-0985",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0985"
},
{
"name": "CVE-2012-2110",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2110"
},
{
"name": "CVE-2011-4576",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4576"
},
{
"name": "CVE-2011-4577",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4577"
},
{
"name": "CVE-2013-0983",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0983"
},
{
"name": "CVE-2013-0989",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0989"
},
{
"name": "CVE-2011-4108",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4108"
},
{
"name": "CVE-2013-0990",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0990"
},
{
"name": "CVE-2013-0155",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0155"
},
{
"name": "CVE-2013-0986",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0986"
},
{
"name": "CVE-2013-0988",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0988"
},
{
"name": "CVE-2013-1024",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1024"
},
{
"name": "CVE-2013-0975",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0975"
},
{
"name": "CVE-2011-4109",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4109"
},
{
"name": "CVE-2011-3207",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3207"
},
{
"name": "CVE-2012-5519",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5519"
},
{
"name": "CVE-2011-1945",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-1945"
},
{
"name": "CVE-2013-0987",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0987"
},
{
"name": "CVE-2012-4929",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4929"
},
{
"name": "CVE-2013-1854",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1854"
},
{
"name": "CVE-2013-0333",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
},
{
"name": "CVE-2012-2333",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2333"
},
{
"name": "CVE-2013-1857",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1857"
},
{
"name": "CVE-2012-2131",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2131"
}
],
"initial_release_date": "2013-06-05T00:00:00",
"last_revision_date": "2013-06-05T00:00:00",
"links": [],
"reference": "CERTA-2013-AVI-340",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-06-05T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eApple OS X\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un contournement\nde la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple OS X",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT5784 du 04 juin 2013",
"url": "http://support.apple.com/kb/HT5784"
}
]
}
ghsa-xgr2-v94m-rc9g
Vulnerability from github
Published
2017-10-24 18:33
Modified
2023-08-25 20:10
VLAI Severity ?
Summary
activesupport in Rails vulnerable to incorrect data conversion
Details
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activesupport"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.2"
},
{
"fixed": "2.3.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "activesupport"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-0333"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:03:24Z",
"nvd_published_at": "2013-01-30T12:00:00Z",
"severity": "HIGH"
},
"details": "`lib/active_support/json/backends/yaml.rb` in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"id": "GHSA-xgr2-v94m-rc9g",
"modified": "2023-08-25T20:10:51Z",
"published": "2017-10-24T18:33:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:0201"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:0202"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:0203"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2013-0333"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-xgr2-v94m-rc9g"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2013-0333.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
},
{
"type": "WEB",
"url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
},
{
"type": "WEB",
"url": "https://puppet.com/security/cve/cve-2013-0333"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT5784"
},
{
"type": "WEB",
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2013/dsa-2613"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/628463"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "activesupport in Rails vulnerable to incorrect data conversion"
}
fkie_cve-2013-0333
Vulnerability from fkie_nvd
Published
2013-01-30 12:00
Modified
2025-04-11 00:51
Severity ?
Summary
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html | ||
| secalert@redhat.com | http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html | ||
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2013-0201.html | ||
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2013-0202.html | ||
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2013-0203.html | ||
| secalert@redhat.com | http://support.apple.com/kb/HT5784 | ||
| secalert@redhat.com | http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/ | ||
| secalert@redhat.com | http://www.debian.org/security/2013/dsa-2613 | ||
| secalert@redhat.com | http://www.kb.cert.org/vuls/id/628463 | US Government Resource | |
| secalert@redhat.com | https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain | Vendor Advisory | |
| secalert@redhat.com | https://puppet.com/security/cve/cve-2013-0333 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2013-0201.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2013-0202.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2013-0203.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://support.apple.com/kb/HT5784 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2013/dsa-2613 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/628463 | US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://puppet.com/security/cve/cve-2013-0333 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 2.3.0 | |
| rubyonrails | rails | 2.3.1 | |
| rubyonrails | rails | 2.3.2 | |
| rubyonrails | rails | 2.3.3 | |
| rubyonrails | rails | 2.3.4 | |
| rubyonrails | rails | 2.3.9 | |
| rubyonrails | rails | 2.3.10 | |
| rubyonrails | rails | 2.3.11 | |
| rubyonrails | rails | 2.3.12 | |
| rubyonrails | rails | 2.3.13 | |
| rubyonrails | rails | 2.3.14 | |
| rubyonrails | rails | 2.3.15 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.3 | |
| rubyonrails | rails | 3.0.4 | |
| rubyonrails | rails | 3.0.5 | |
| rubyonrails | rails | 3.0.5 | |
| rubyonrails | rails | 3.0.6 | |
| rubyonrails | rails | 3.0.6 | |
| rubyonrails | rails | 3.0.6 | |
| rubyonrails | rails | 3.0.7 | |
| rubyonrails | rails | 3.0.7 | |
| rubyonrails | rails | 3.0.7 | |
| rubyonrails | rails | 3.0.8 | |
| rubyonrails | rails | 3.0.8 | |
| rubyonrails | rails | 3.0.8 | |
| rubyonrails | rails | 3.0.8 | |
| rubyonrails | rails | 3.0.8 | |
| rubyonrails | rails | 3.0.9 | |
| rubyonrails | rails | 3.0.9 | |
| rubyonrails | rails | 3.0.9 | |
| rubyonrails | rails | 3.0.9 | |
| rubyonrails | rails | 3.0.9 | |
| rubyonrails | rails | 3.0.9 | |
| rubyonrails | rails | 3.0.10 | |
| rubyonrails | rails | 3.0.10 | |
| rubyonrails | rails | 3.0.11 | |
| rubyonrails | rails | 3.0.12 | |
| rubyonrails | rails | 3.0.12 | |
| rubyonrails | rails | 3.0.13 | |
| rubyonrails | rails | 3.0.13 | |
| rubyonrails | rails | 3.0.14 | |
| rubyonrails | rails | 3.0.16 | |
| rubyonrails | rails | 3.0.17 | |
| rubyonrails | rails | 3.0.18 | |
| rubyonrails | rails | 3.0.19 | |
| rubyonrails | ruby_on_rails | 3.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156."
},
{
"lang": "es",
"value": "lib/active_support/json/backends/yaml.rb en Ruby on Rails v2.3.x anterior a v2.3.16 y v3.0.x anterior a v3.0.20 no convierte correctamente los datos de tipo JSON a datos YAML para el procesamiento por el analizador YAML, lo cual permite a atacantes remotos ejecutar c\u00f3digo arbitrario, conducir ataques de inyecci\u00f3n SQL, o saltare la autentificaci\u00f3n a trav\u00e9s de la modificaci\u00f3n de datos que disparan una descodificaci\u00f3n insegura, esta vulnerabilidad es diferente a CVE-2013-0156."
}
],
"id": "CVE-2013-0333",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-01-30T12:00:08.930",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2013/dsa-2613"
},
{
"source": "secalert@redhat.com",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2013-0333"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2013/dsa-2613"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2013-0333"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
gsd-2013-0333
Vulnerability from gsd
Modified
2013-01-28 00:00
Details
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0333",
"description": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"id": "GSD-2013-0333",
"references": [
"https://www.suse.com/security/cve/CVE-2013-0333.html",
"https://www.debian.org/security/2013/dsa-2613",
"https://access.redhat.com/errata/RHSA-2013:0203",
"https://access.redhat.com/errata/RHSA-2013:0202",
"https://access.redhat.com/errata/RHSA-2013:0201",
"https://packetstormsecurity.com/files/cve/CVE-2013-0333"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activesupport",
"purl": "pkg:gem/activesupport"
}
}
],
"aliases": [
"CVE-2013-0333",
"OSVDB-89594"
],
"details": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"id": "GSD-2013-0333",
"modified": "2013-01-28T00:00:00.000Z",
"published": "2013-01-28T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 9.3,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-0333 rubygem-activesupport: json to yaml parsing"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0333",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html",
"refsource": "MISC",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"name": "http://support.apple.com/kb/HT5784",
"refsource": "MISC",
"url": "http://support.apple.com/kb/HT5784"
},
{
"name": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html",
"refsource": "MISC",
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"name": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/",
"refsource": "MISC",
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"name": "http://www.kb.cert.org/vuls/id/628463",
"refsource": "MISC",
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-0201.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-0202.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-0203.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
},
{
"name": "http://www.debian.org/security/2013/dsa-2613",
"refsource": "MISC",
"url": "http://www.debian.org/security/2013/dsa-2613"
},
{
"name": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain",
"refsource": "MISC",
"url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
},
{
"name": "https://puppet.com/security/cve/cve-2013-0333",
"refsource": "MISC",
"url": "https://puppet.com/security/cve/cve-2013-0333"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-0333",
"cvss_v2": 9.3,
"date": "2013-01-28",
"description": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
"framework": "rails",
"gem": "activesupport",
"osvdb": 89594,
"patched_versions": [
"~\u003e 2.3.16",
"\u003e= 3.0.20"
],
"title": "CVE-2013-0333 rubygem-activesupport: json to yaml parsing",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2.3.16 || \u003e=2.4.0 \u003c3.0.20",
"affected_versions": "All versions before 2.3.16, all versions starting from 2.4.0 before 3.0.20",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2019-08-08",
"description": "There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.",
"fixed_versions": [
"2.3.16",
"3.0.20"
],
"identifier": "CVE-2013-0333",
"identifiers": [
"CVE-2013-0333"
],
"not_impacted": "3.1.x, 3.2.x, applications using the yajl gem.",
"package_slug": "gem/activesupport",
"pubdate": "2013-01-30",
"solution": "Upgrade, patches and workarounds available (see source)",
"title": "Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3",
"urls": [
"https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
],
"uuid": "6a7e454f-90c7-479e-a648-617f3e45c0df"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0333"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20130129 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3",
"refsource": "MLIST",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
},
{
"name": "RHSA-2013:0203",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
},
{
"name": "VU#628463",
"refsource": "CERT-VN",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"name": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/",
"refsource": "CONFIRM",
"tags": [],
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"name": "DSA-2613",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2013/dsa-2613"
},
{
"name": "RHSA-2013:0201",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
},
{
"name": "RHSA-2013:0202",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
},
{
"name": "APPLE-SA-2013-03-14-1",
"refsource": "APPLE",
"tags": [],
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"name": "APPLE-SA-2013-06-04-1",
"refsource": "APPLE",
"tags": [],
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"name": "http://support.apple.com/kb/HT5784",
"refsource": "CONFIRM",
"tags": [],
"url": "http://support.apple.com/kb/HT5784"
},
{
"name": "https://puppet.com/security/cve/cve-2013-0333",
"refsource": "CONFIRM",
"tags": [],
"url": "https://puppet.com/security/cve/cve-2013-0333"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T04:41Z",
"publishedDate": "2013-01-30T12:00Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…