CVE-2013-0269
The MITRE CVE dictionary describes this issue as:
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Find out more about CVE-2013-0269 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 7.5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Fuse 6.0 | RHSA-2013:1185 | 2013-08-29 |
| Red Hat OpenShift Enterprise Client Tools | RHSA-2013:0701 | 2013-04-02 |
| Red Hat JBoss SOA Platform 5.3 | RHSA-2013:1147 | 2013-08-08 |
| Red Hat Subscription Asset Manager 1.2 (rubygem-json) | RHSA-2013:0686 | 2013-03-26 |
| Fuse ESB Enterprise 7.1.0 | RHSA-2013:1028 | 2013-07-09 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Enterprise SOA Platform 4.3 | jruby | Will not fix |
| Red Hat Enterprise MRG 2 | rubygem-json | Will not fix |
| Red Hat CloudForms Tools 1 | rubygem-json | Will not fix |
Acknowledgements
Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the original reporters.External References
CVE description copyright © 2017, The MITRE Corporation