The MITRE CVE dictionary describes this issue as:
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Find out more about CVE-2013-0156 from the
MITRE CVE dictionary dictionary and
For details of affected products and workarounds see https://access.redhat.com/knowledge/node/290903