Vulnerability CVE-2013-0156

Vulnerability Name:

CVE-2013-0156 (CCN-81119)

Assigned:

2012-12-06

Published:

2013-01-10

Updated:

2023-02-13

Summary:

CVSS v3 Severity:

10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
7.7 High (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2013-0156

Source: secalert@redhat.com
Type: Third Party Advisory, US Government Resource
secalert@redhat.com

Source: CCN
Type: Tableau Software Web site
Ruby on Rails Vulnerabililty

Source: secalert@redhat.com
Type: Mailing List, Third Party Advisory
secalert@redhat.com

Source: CCN
Type: RHSA-2013-0153
Critical: Ruby on Rails security update

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: CCN
Type: RHSA-2013-0154
Critical: Ruby on Rails security update

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: CCN
Type: RHSA-2013-0155
Critical: Ruby on Rails security update

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: CCN
Type: Ruby on Rails Web Site
Ruby on Rails

Source: CCN
Type: SA51753
Ruby on Rails XML Parameter Parsing Vulnerability

Source: CCN
Type: SA52095
Apple OS X Server Multiple Ruby on Rails Vulnerabilities

Source: CCN
Type: SA52367
Tableau Server Ruby on Rails XML Parameter Parsing Vulnerability

Source: CCN
Type: SA52369
Invensys Wonderware Intelligence Tableau Server Multiple Vulnerabilities

Source: CCN
Type: SA52600
Fujitsu Multiple Products Ruby on Rails XML Parsing Vulnerability

Source: CCN
Type: SA55659
Infoblox NetMRI Ruby on Rails XML Parameter Parsing Vulnerability

Source: CCN
Type: Apple Web site
About the security content of OS X Server v2.2.1

Source: secalert@redhat.com
Type: Vendor Advisory
secalert@redhat.com

Source: CCN
Type: IBM Security Bulletin 1626255
IBM Security Network Intrusion Prevention System can be affected by vulnerabilities in Ruby on Rails (CVE-2012-2660, CVE-2012-2694, CVE-2013-0156, CVE-2012-6496, CVE-2012-3424, and CVE-2012-2695)

Source: CCN
Type: IBM Security Bulletin 1626515
IBM Security Network Protection can be affected by vulnerabilities in Ruby on Rails (CVE-2012-2660, CVE-2012-2694, CVE-2013-0155, CVE-2013-0156, CVE-2012-6496, CVE-2012-3424, and CVE-2012-2695)

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: DEBIAN
Type: DSA-2604
rails -- insufficient input validation

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Third Party Advisory, US Government Resource
secalert@redhat.com

Source: secalert@redhat.com
Type: Third Party Advisory, US Government Resource
secalert@redhat.com

Source: CCN
Type: BID-57187
Ruby on Rails CVE-2013-0156 Multiple Security Vulnerabilities

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: XF
Type: UNKNOWN
rubyonrails-xml-code-execution(81119)

Source: CCN
Type: Google Groups: Ruby on Rails
Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: CCN
Type: NMAP Web site
File http-vuln-cve2013-0156

Source: CCN
Type: Packet Storm Security [01-11-2013]
Ruby On Rails XML Processor YAML Deserialization Code Execution

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [01-10-2013]

Source: CCN
Type: Rapid7 Vulnerability and Exploit Database [05-30-2018]
Ruby on Rails XML Processor YAML Deserialization Code Execution

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:rubyonrails:rails:3.0.1:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.2:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.4:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.7:-:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.6.8:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.6.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.10:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.2:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.2:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.4:-:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.7.5:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.7.5:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.8.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.9:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.8:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.7:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.4:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.3:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.1:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.1.5:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.6:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.8:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.5:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.9:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.13:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.12:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium:*:*:*:*:*

OR cpe:/o:apple:os_x_server:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_network_intrusion_prevention_system:4.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_network_intrusion_prevention_system:4.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_network_intrusion_prevention_system:4.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20130156	V	CVE-2013-0156	2022-06-30
oval:org.opensuse.security:def:113355	P	ruby2.2-rubygem-extlib-0.9.16-7.4 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:26225	P	Security update for libsndfile (Important)	2022-01-05
oval:org.opensuse.security:def:26184	P	Security update for log4j (Important)	2021-12-17
oval:org.opensuse.security:def:55262	P	Security update for opensc (Important)	2021-10-29
oval:org.opensuse.security:def:106762	P	ruby2.2-rubygem-extlib-0.9.16-7.4 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:26120	P	Security update for xerces-c (Important)	2021-09-03
oval:org.opensuse.security:def:55945	P	Security update for libesmtp (Important)	2021-09-02
oval:org.opensuse.security:def:26109	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:26108	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:36559	P	rubygem-activesupport-3_2-3.2.12-0.9.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:26214	P	Security update for wavpack (Important)	2021-03-24
oval:org.opensuse.security:def:26213	P	Security update for evolution-data-server (Moderate)	2021-03-19
oval:org.opensuse.security:def:55779	P	Security update for xen (Important)	2020-12-10
oval:org.opensuse.security:def:55122	P	Security update for gdm (Important)	2020-12-03
oval:org.opensuse.security:def:55673	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26289	P	Security update for sane-backends (Important)	2020-12-01
oval:org.opensuse.security:def:27522	P	obex-data-server on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56504	P	Security update for postgresql96 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26843	P	xorg-x11 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26534	P	curl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55500	P	Security update for java-1_7_0-openjdk, java-1_7_0-openjdk-bootstrap (Moderate)	2020-12-01
oval:org.opensuse.security:def:26884	P	dhcpcd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56430	P	Security update for strongswan (Moderate)	2020-12-01
oval:org.opensuse.security:def:26790	P	ofed on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26450	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:27627	P	Security update for IBM Java 7	2020-12-01
oval:org.opensuse.security:def:26840	P	wireshark on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56338	P	Security update for libevent (Moderate)	2020-12-01
oval:org.opensuse.security:def:26639	P	star on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26393	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:26989	P	man on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26826	P	syslog-ng on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56230	P	Security update for openssl (Important)	2020-12-01
oval:org.opensuse.security:def:26555	P	glib2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26312	P	Security update for dnsmasq (Important)	2020-12-01
oval:org.opensuse.security:def:27557	P	rubygem-activesupport-3_2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55100	P	empathy on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26945	P	libdrm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26787	P	nagios on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26498	P	Security update for nextcloud (Moderate)	2020-12-01
oval:org.opensuse.security:def:56623	P	Security update for fuse (Moderate)	2020-12-01
oval:org.opensuse.security:def:55099	P	emacs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26931	P	krb5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26738	P	libapr-util1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26417	P	Security update for Mozilla Thunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:27662	P	Security update for Ruby On Rails	2020-12-01
oval:org.opensuse.security:def:56542	P	Security update for openssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:26892	P	expat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26685	P	dhcp on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:19664	P	DSA-2604-1 rails - insufficient input validation	2014-06-23
oval:com.ubuntu.precise:def:20130156000	V	CVE-2013-0156 on Ubuntu 12.04 LTS (precise) - high.	2013-01-13
oval:com.ubuntu.trusty:def:20130156000	V	CVE-2013-0156 on Ubuntu 14.04 LTS (trusty) - high.	2013-01-13

BACK