Improper input validation in Rubyonrails Rails
CVE-2013-0156
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct objec…
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.919 (99.7th percentile) — read the EPSS interpretation.
Affected products
- Rubyonrails Rails
- Rubyonrails Ruby_on_rails
- Debian Debian_linux — versions 6.0, 7.0
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- [rubyonrails-security] 20130108 Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156) (mailing-list, x_refsource_MLIST, Third Party Advisory)
- secalert@redhat.com (Third Party Advisory, x_refsource_MISC)
- RHSA-2013:0155 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
- VU#628463 (x_refsource_CERT-VN, US Government Resource, Third Party Advisory, third-party-advisory)
- secalert@redhat.com (Third Party Advisory, x_refsource_MISC)
- secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
- VU#380039 (x_refsource_CERT-VN, US Government Resource, Third Party Advisory, third-party-advisory)
- APPLE-SA-2013-03-14-1 (vendor-advisory, x_refsource_APPLE, Mailing List, Third Party Advisory)
- DSA-2604 (vendor-advisory, Third Party Advisory, x_refsource_DEBIAN)
- secalert@redhat.com (US Government Resource, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2013-0156?
- CVE-2013-0156 is a vulnerability in Rubyonrails Rails, classified under Improper Input Validation. Published 2013-01-13.
- Is CVE-2013-0156 known to be exploited?
- 43 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.