Upstream information

CVE-2013-0156 at MITRE

Description

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 7.48
Vector AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entries: 797452 [RESOLVED / FIXED], 798321 [RESOLVED / FIXED], 800320 [RESOLVED / FIXED], 804719 [RESOLVED / ]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Software Development Kit 11 SP2
  • rubygem-actionmailer-2_3 >= 2.3.17-0.9.1
  • rubygem-actionpack-2_3 >= 2.3.17-0.9.1
  • rubygem-activerecord-2_3 >= 2.3.17-0.9.1
  • rubygem-activeresource-2_3 >= 2.3.17-0.9.1
  • rubygem-activesupport-2_3 >= 2.3.17-0.9.1
  • rubygem-rails >= 2.3.17-0.8.1
  • rubygem-rails-2_3 >= 2.3.17-0.9.1
Patchnames:
sdksp2-rubygem-actionmailer-2_3
SUSE Studio Onsite Runner 1.2
  • rubygem-actionmailer-2_3 >= 2.3.17-0.6.1
  • rubygem-actionpack-2_3 >= 2.3.17-0.6.1
  • rubygem-activerecord-2_3 >= 2.3.17-0.6.1
  • rubygem-activeresource-2_3 >= 2.3.17-0.6.1
  • rubygem-activesupport-2_3 >= 2.3.17-0.6.1
  • rubygem-rails-2_3 >= 2.3.17-0.6.2
Patchnames:
slestso12-rubygem-actionmailer-2_3
SUSE Cloud 1.0
  • rubygem-actionmailer-2_3 >= 2.3.17-0.9.1
  • rubygem-actionpack-2_3 >= 2.3.17-0.9.1
  • rubygem-activerecord-2_3 >= 2.3.17-0.9.1
  • rubygem-activeresource-2_3 >= 2.3.17-0.9.1
  • rubygem-activesupport-2_3 >= 2.3.17-0.9.1
  • rubygem-rails-2_3 >= 2.3.17-0.9.1
Builds
SAT Patch Nr: 7363
SUSE Linux Enterprise Software Development Kit 11 SP2
  • rubygem-actionmailer-2_3 >= 2.3.17-0.9.1
  • rubygem-actionpack-2_3 >= 2.3.17-0.9.1
  • rubygem-activerecord-2_3 >= 2.3.17-0.9.1
  • rubygem-activeresource-2_3 >= 2.3.17-0.9.1
  • rubygem-activesupport-2_3 >= 2.3.17-0.9.1
  • rubygem-rails >= 2.3.16-0.7.1
  • rubygem-rails-2_3 >= 2.3.17-0.9.1
Builds
SAT Patch Nr: 7363
SUSE Studio Standard Edition 1.2
  • rubygem-actionmailer-2_3 >= 2.3.17-0.6.1
  • rubygem-actionpack-2_3 >= 2.3.17-0.6.1
  • rubygem-activerecord-2_3 >= 2.3.17-0.6.1
  • rubygem-activeresource-2_3 >= 2.3.17-0.6.1
  • rubygem-activesupport-2_3 >= 2.3.17-0.6.1
  • rubygem-rails >= 2.3.16-0.4.5.1
  • rubygem-rails-2_3 >= 2.3.17-0.6.1
Builds
SAT Patch Nr: 7364
SUSE Studio Extension for System z 1.2
SUSE Studio Onsite 1.2 [Appliance - Studio]
WebYaST 1.2
  • rubygem-actionmailer-2_3 >= 2.3.17-0.6.1
  • rubygem-actionpack-2_3 >= 2.3.17-0.6.1
  • rubygem-activerecord-2_3 >= 2.3.17-0.6.1
  • rubygem-activeresource-2_3 >= 2.3.17-0.6.1
  • rubygem-activesupport-2_3 >= 2.3.17-0.6.1
  • rubygem-rails-2_3 >= 2.3.17-0.6.1
Builds
SAT Patch Nr: 7364
SUSE Cloud 1.0
  • rubygem-merb-core >= 1.1.3-0.9.1
Builds
SAT Patch Nr: 7405
openSUSE Evergreen 11.4
  • rubygem-actionmailer >= 2.3.16-0.6.1
  • rubygem-actionmailer-2_3 >= 2.3.16-0.16.1
  • rubygem-actionmailer-2_3-doc >= 2.3.16-0.16.1
  • rubygem-actionmailer-2_3-testsuite >= 2.3.16-0.16.1
  • rubygem-actionpack >= 2.3.16-0.6.1
  • rubygem-actionpack-2_3 >= 2.3.16-0.23.1
  • rubygem-actionpack-2_3-doc >= 2.3.16-0.23.1
  • rubygem-actionpack-2_3-testsuite >= 2.3.16-0.23.1
  • rubygem-activerecord >= 2.3.16-0.6.1
  • rubygem-activerecord-2_3 >= 2.3.16-0.19.1
  • rubygem-activerecord-2_3-doc >= 2.3.16-0.19.1
  • rubygem-activerecord-2_3-testsuite >= 2.3.16-0.19.1
  • rubygem-activeresource >= 2.3.16-0.6.1
  • rubygem-activeresource-2_3 >= 2.3.16-0.16.1
  • rubygem-activeresource-2_3-doc >= 2.3.16-0.16.1
  • rubygem-activeresource-2_3-testsuite >= 2.3.16-0.16.1
  • rubygem-activesupport >= 2.3.16-0.6.1
  • rubygem-activesupport-2_3 >= 2.3.16-0.16.1
  • rubygem-activesupport-2_3-doc >= 2.3.16-0.16.1
  • rubygem-rack >= 1.1.5-0.8.1
  • rubygem-rails >= 2.3.16-0.6.1
  • rubygem-rails-2_3 >= 2.3.16-0.12.1
  • rubygem-rails-2_3-doc >= 2.3.16-0.12.1
Patchnames:
2013-21