csaf_redhat - rhsa-2013

rhsa-2013_0203

Vulnerability from csaf_redhat

Published

2013-01-29 05:00

Modified

2024-11-22 06:09

Summary

Red Hat Security Advisory: rubygem-activesupport security update

Notes

Topic

An updated rubygem-activesupport package that fixes one security issue is now available for Red Hat CloudForms. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

Ruby on Rails is a model–view–controller (MVC) framework for web application development. Active Support provides support and utility classes used by the Ruby on Rails framework. A flaw was found in the way Active Support performed the parsing of JSON requests by translating them to YAML. A remote attacker could use this flaw to execute arbitrary code with the privileges of a Ruby on Rails application, perform SQL injection attacks, or bypass the authentication using a specially-created JSON request. (CVE-2013-0333) Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original reporter. Users of Red Hat CloudForms are advised to upgrade to this updated package, which resolves this issue. Users of CloudForms Cloud Engine must run "aeolus-services restart" and users of CloudForms System Engine must run "katello-service restart" for this update to take effect.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated rubygem-activesupport package that fixes one security issue is\nnow available for Red Hat CloudForms.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Active Support provides support and utility\nclasses used by the Ruby on Rails framework.\n\nA flaw was found in the way Active Support performed the parsing of JSON\nrequests by translating them to YAML. A remote attacker could use this flaw\nto execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the authentication\nusing a specially-created JSON request. (CVE-2013-0333)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting this\nissue. Upstream acknowledges Lawrence Pit of Mirror42 as the original\nreporter.\n\nUsers of Red Hat CloudForms are advised to upgrade to this updated package,\nwhich resolves this issue. Users of CloudForms Cloud Engine must run\n\"aeolus-services restart\" and users of CloudForms System Engine must run\n\"katello-service restart\" for this update to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:0203",
        "url": "https://access.redhat.com/errata/RHSA-2013:0203"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "903440",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0203.json"
      }
    ],
    "title": "Red Hat Security Advisory: rubygem-activesupport security update",
    "tracking": {
      "current_release_date": "2024-11-22T06:09:33+00:00",
      "generator": {
        "date": "2024-11-22T06:09:33+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2013:0203",
      "initial_release_date": "2013-01-29T05:00:00+00:00",
      "revision_history": [
        {
          "date": "2013-01-29T05:00:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-01-29T05:07:05+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T06:09:33+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "CloudForms Cloud Engine for RHEL 6 Server",
                "product": {
                  "name": "CloudForms Cloud Engine for RHEL 6 Server",
                  "product_id": "6Server-CloudEngine",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudforms_cloudengine:1::el6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "CloudForms System Engine for RHEL 6 Server",
                "product": {
                  "name": "CloudForms System Engine for RHEL 6 Server",
                  "product_id": "6Server-SystemEngine",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudforms_systemengine:1::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat CloudForms"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
                "product": {
                  "name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
                  "product_id": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-9.el6cf?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "katello-all-0:1.1.12.1-1.el6cf.noarch",
                "product": {
                  "name": "katello-all-0:1.1.12.1-1.el6cf.noarch",
                  "product_id": "katello-all-0:1.1.12.1-1.el6cf.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/katello-all@1.1.12.1-1.el6cf?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "katello-0:1.1.12.1-1.el6cf.noarch",
                "product": {
                  "name": "katello-0:1.1.12.1-1.el6cf.noarch",
                  "product_id": "katello-0:1.1.12.1-1.el6cf.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/katello@1.1.12.1-1.el6cf?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
                "product": {
                  "name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
                  "product_id": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/katello-glue-candlepin@1.1.12.1-1.el6cf?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
                "product": {
                  "name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
                  "product_id": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/katello-api-docs@1.1.12.1-1.el6cf?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
                "product": {
                  "name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
                  "product_id": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/katello-glue-pulp@1.1.12.1-1.el6cf?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "katello-common-0:1.1.12.1-1.el6cf.noarch",
                "product": {
                  "name": "katello-common-0:1.1.12.1-1.el6cf.noarch",
                  "product_id": "katello-common-0:1.1.12.1-1.el6cf.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/katello-common@1.1.12.1-1.el6cf?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
                "product": {
                  "name": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
                  "product_id": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rubygem-activesupport@3.0.10-9.el6cf?arch=src\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "katello-0:1.1.12.1-1.el6cf.src",
                "product": {
                  "name": "katello-0:1.1.12.1-1.el6cf.src",
                  "product_id": "katello-0:1.1.12.1-1.el6cf.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/katello@1.1.12.1-1.el6cf?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
          "product_id": "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch"
        },
        "product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
        "relates_to_product_reference": "6Server-CloudEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-activesupport-1:3.0.10-9.el6cf.src as a component of CloudForms Cloud Engine for RHEL 6 Server",
          "product_id": "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
        },
        "product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
        "relates_to_product_reference": "6Server-CloudEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "katello-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
          "product_id": "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch"
        },
        "product_reference": "katello-0:1.1.12.1-1.el6cf.noarch",
        "relates_to_product_reference": "6Server-SystemEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "katello-0:1.1.12.1-1.el6cf.src as a component of CloudForms System Engine for RHEL 6 Server",
          "product_id": "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src"
        },
        "product_reference": "katello-0:1.1.12.1-1.el6cf.src",
        "relates_to_product_reference": "6Server-SystemEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "katello-all-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
          "product_id": "6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch"
        },
        "product_reference": "katello-all-0:1.1.12.1-1.el6cf.noarch",
        "relates_to_product_reference": "6Server-SystemEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
          "product_id": "6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch"
        },
        "product_reference": "katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
        "relates_to_product_reference": "6Server-SystemEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "katello-common-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
          "product_id": "6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch"
        },
        "product_reference": "katello-common-0:1.1.12.1-1.el6cf.noarch",
        "relates_to_product_reference": "6Server-SystemEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
          "product_id": "6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch"
        },
        "product_reference": "katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
        "relates_to_product_reference": "6Server-SystemEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
          "product_id": "6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch"
        },
        "product_reference": "katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
        "relates_to_product_reference": "6Server-SystemEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch as a component of CloudForms System Engine for RHEL 6 Server",
          "product_id": "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch"
        },
        "product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
        "relates_to_product_reference": "6Server-SystemEngine"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rubygem-activesupport-1:3.0.10-9.el6cf.src as a component of CloudForms System Engine for RHEL 6 Server",
          "product_id": "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
        },
        "product_reference": "rubygem-activesupport-1:3.0.10-9.el6cf.src",
        "relates_to_product_reference": "6Server-SystemEngine"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Ruby on Rails upstream"
          ]
        },
        {
          "names": [
            "Lawrence Pit"
          ],
          "organization": "Mirror42",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2013-0333",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2013-01-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "903440"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "rubygem-activesupport: json to yaml parsing",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
          "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
          "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
          "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
          "6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
          "6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
          "6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
          "6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
          "6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
          "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
          "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0333"
        },
        {
          "category": "external",
          "summary": "RHBZ#903440",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=903440"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0333",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0333"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0333"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo",
          "url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"
        }
      ],
      "release_date": "2013-01-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-01-29T05:00:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
            "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
            "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
            "6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
            "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:0203"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
            "6Server-CloudEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src",
            "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-0:1.1.12.1-1.el6cf.src",
            "6Server-SystemEngine:katello-all-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-api-docs-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-common-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-glue-candlepin-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:katello-glue-pulp-0:1.1.12.1-1.el6cf.noarch",
            "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.noarch",
            "6Server-SystemEngine:rubygem-activesupport-1:3.0.10-9.el6cf.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "rubygem-activesupport: json to yaml parsing"
    }
  ]
}

cve-2013-0333

Vulnerability from cvelistv5

Published

2013-01-30 11:00

Modified

2024-08-06 14:25

Severity ?

Summary

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

References

▼	URL	Tags
	http://www.kb.cert.org/vuls/id/628463	third-party-advisory, x_refsource_CERT-VN
	http://www.debian.org/security/2013/dsa-2613	vendor-advisory, x_refsource_DEBIAN
	http://support.apple.com/kb/HT5784	x_refsource_CONFIRM
	http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html	vendor-advisory, x_refsource_APPLE
	http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html	vendor-advisory, x_refsource_APPLE
	https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain	mailing-list, x_refsource_MLIST
	http://rhn.redhat.com/errata/RHSA-2013-0201.html	vendor-advisory, x_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2013-0202.html	vendor-advisory, x_refsource_REDHAT
	https://puppet.com/security/cve/cve-2013-0333	x_refsource_CONFIRM
	http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2013-0203.html	vendor-advisory, x_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T14:25:09.069Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VU#628463",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/628463"
          },
          {
            "name": "DSA-2613",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2013/dsa-2613"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://support.apple.com/kb/HT5784"
          },
          {
            "name": "APPLE-SA-2013-06-04-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
          },
          {
            "name": "APPLE-SA-2013-03-14-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
          },
          {
            "name": "[rubyonrails-security] 20130129 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
          },
          {
            "name": "RHSA-2013:0201",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
          },
          {
            "name": "RHSA-2013:0202",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/cve-2013-0333"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
          },
          {
            "name": "RHSA-2013:0203",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-01-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-08T10:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "VU#628463",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "http://www.kb.cert.org/vuls/id/628463"
        },
        {
          "name": "DSA-2613",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2013/dsa-2613"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://support.apple.com/kb/HT5784"
        },
        {
          "name": "APPLE-SA-2013-06-04-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
        },
        {
          "name": "APPLE-SA-2013-03-14-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
        },
        {
          "name": "[rubyonrails-security] 20130129 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
        },
        {
          "name": "RHSA-2013:0201",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
        },
        {
          "name": "RHSA-2013:0202",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/cve-2013-0333"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
        },
        {
          "name": "RHSA-2013:0203",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2013-0333",
    "datePublished": "2013-01-30T11:00:00",
    "dateReserved": "2012-12-06T00:00:00",
    "dateUpdated": "2024-08-06T14:25:09.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted