Denial of Service Vulnerability in Ruby on Rails Active Record Component
CVE-2013-1854

Currently unrated

Key Information:

Vendor

Rubyonrails

Status
Ruby On Rails
Rails
Vendor
CVE Published:
19 March 2013

What is CVE-2013-1854?

The Active Record component in Ruby on Rails processes certain queries in a manner that converts hash keys to symbols. This behavior can be exploited by remote attackers who send specially crafted input to the 'where' method. Such input can cause the system to utilize excessive resources, leading to a denial of service condition. This vulnerability affects various versions of Ruby on Rails prior to their respective patches, making it crucial for users to upgrade to secure versions to prevent potential attacks.

References

http://lists.opensuse.org/opensuse-updates/2013-04/msg000...
vendor-advisoryx_refsource_SUSE
http://lists.apple.com/archives/security-announce/2013/Oc...
vendor-advisoryx_refsource_APPLE
http://lists.opensuse.org/opensuse-updates/2013-04/msg000...
vendor-advisoryx_refsource_SUSE

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.