CVE-2013-1854

Sažetak

The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.

Reference

https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain
http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
http://rhn.redhat.com/errata/RHSA-2013-0699.html
http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html
http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html
http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html
http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html
http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
http://support.apple.com/kb/HT5784
http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
http://rhn.redhat.com/errata/RHSA-2014-1863.html

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:N/A:P

Zadnje važnije ažuriranje

13-02-2023 - 04:41

Objavljeno

19-03-2013 - 22:55