Object Injection Vulnerability in Ruby on Rails Affects Multiple Versions
CVE-2013-0156

Currently unrated

Key Information:

Vendor: Rubyonrails
Status: Ruby On Rails; Rails
Vendor: CVE Published:; 13 January 2013

🔔 Create Rubyonrails Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 91%

What is CVE-2013-0156?

The vulnerability in Ruby on Rails occurs due to insufficient restrictions on the casting of string values, enabling remote attackers to exploit this flaw through object-injection attacks. By leveraging Action Pack's support for YAML and Symbol type conversions, attackers can execute arbitrary code or trigger a denial-of-service condition through excessive memory and CPU consumption, often involving crafted nested XML entity references. The vulnerability affects multiple Ruby on Rails versions prior to their respective fixed releases, which must be updated to mitigate the associated risks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

rails-exploit-cve-2013-0156
Created by bsodmike

heroku-CVE-2013-0156
Created by heroku

CVE-2013-0156
Created by oxBEN10

References

https://groups.google.com/group/rubyonrails-security/msg/...

mailing-listx_refsource_MLIST

http://www.insinuator.net/2013/01/rails-yaml/

x_refsource_MISC

http://rhn.redhat.com/errata/RHSA-2013-0155.html

vendor-advisoryx_refsource_REDHAT

EPSS Score

91% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 13, 2024
👾
Exploit known to exist
Aug 6, 2024
Vulnerability published
Jan 13, 2013
Vulnerability Reserved
Dec 6, 2012