Vulnerability CVE-2013-0269

Vulnerability Name:

CVE-2013-0269 (CCN-82010)

Assigned:

2012-12-06

Published:

2013-02-11

Updated:

2017-12-09

Summary:

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Bypass Security

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:rubygems:json_gem:1.5.0:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.5.1:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.5.2:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.5.3:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.5.4:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.6.0:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.6.1:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.6.2:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.6.3:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.6.4:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.6.5:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.6.6:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.6.7:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.7.1:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.7.2:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.7.3:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.7.4:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.7.5:*:*:*:*:*:*:*

OR cpe:/a:rubygems:json_gem:1.7.6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:26220	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:26219	P	Security update for apache2 (Important) (in QA)	2022-01-10
oval:org.opensuse.security:def:26187	P	Security update for libvpx (Moderate)	2021-12-23
oval:org.opensuse.security:def:55261	P	Security update for qemu (Important)	2021-10-28
oval:org.opensuse.security:def:26123	P	Security update for openssl-1_0_0 (Low)	2021-09-09
oval:org.opensuse.security:def:55944	P	Security update for openexr (Important)	2021-09-02
oval:org.opensuse.security:def:26112	P	Security update for sssd (Important)	2021-08-30
oval:org.opensuse.security:def:5091	P	Security update for libcares2 (Important)	2021-08-16
oval:org.opensuse.security:def:20130269	V	CVE-2013-0269	2021-08-15
oval:org.opensuse.security:def:5069	P	Security update for openexr (Important)	2021-06-24
oval:org.opensuse.security:def:5751	P	Security update for libnettle (Important)	2021-06-23
oval:org.opensuse.security:def:5060	P	Security update for libjpeg-turbo (Moderate)	2021-06-11
oval:org.opensuse.security:def:5729	P	Security update for libX11 (Important)	2021-06-08
oval:org.opensuse.security:def:36562	P	rubygem-json_pure-1.2.0-0.4.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:5027	P	Security update for gdm (Important)	2021-04-28
oval:org.opensuse.security:def:26111	P	Security update for cups (Moderate)	2021-02-02
oval:org.opensuse.security:def:5078	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:55778	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP2) (Important)	2020-12-07
oval:org.opensuse.security:def:11259	P	ruby2.1-rubygem-chef-10.32.2-3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:5002	P	Security update for nodejs8 (Critical)	2020-12-02
oval:org.opensuse.security:def:4778	P	Security update for libvirt (Important)	2020-12-02
oval:org.opensuse.security:def:4770	P	Security update for qemu (Important)	2020-12-02
oval:org.opensuse.security:def:4800	P	Security update for xen (Important)	2020-12-02
oval:org.opensuse.security:def:4846	P	Security update for skopeo (Important)	2020-12-02
oval:org.opensuse.security:def:55121	P	Security update for python3 (Important)	2020-12-02
oval:org.opensuse.security:def:4893	P	Security update for graphviz (Low)	2020-12-02
oval:org.opensuse.security:def:4908	P	Security update for xen (Important)	2020-12-02
oval:org.opensuse.security:def:4927	P	Security update for mozilla-nss (Moderate)	2020-12-02
oval:org.opensuse.security:def:26315	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:26843	P	xorg-x11 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26231	P	Security update for mariadb-100 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26898	P	freetype2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27560	P	rubygem-json_pure on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26396	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:26887	P	ed on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26295	P	Security update for LibreOffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:26937	P	libMagickCore1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26453	P	Security update for kauth (Moderate)	2020-12-01
oval:org.opensuse.security:def:27525	P	openldap2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26423	P	Security update for opencv (Important)	2020-12-01
oval:org.opensuse.security:def:26951	P	libgnomesu on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56229	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:26537	P	dhcp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27668	P	Security update for rubygem-json_pure	2020-12-01
oval:org.opensuse.security:def:26504	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:26995	P	nagios-plugins on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55099	P	emacs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56337	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:26688	P	ecryptfs-utils-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26561	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27633	P	Security update for PostgreSQL	2020-12-01
oval:org.opensuse.security:def:56429	P	Security update for libsoup (Important)	2020-12-01
oval:org.opensuse.security:def:55098	P	elfutils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26741	P	libcap-progs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26645	P	unrar on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56503	P	Security update for libraw (Moderate)	2020-12-01
oval:org.opensuse.security:def:26790	P	ofed on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26796	P	pam on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55499	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:56541	P	Security update for shadow (Important)	2020-12-01
oval:org.opensuse.security:def:26829	P	systemtap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26849	P	zoo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55672	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:56622	P	Security update for binutils (Moderate)	2020-12-01
oval:org.mitre.oval:def:18251	P	USN-1733-1 -- ruby1.9.1 vulnerabilities	2014-06-30
oval:com.ubuntu.xenial:def:201302690000000	V	CVE-2013-0269 on Ubuntu 16.04 LTS (xenial) - medium.	2013-02-13
oval:com.ubuntu.precise:def:20130269000	V	CVE-2013-0269 on Ubuntu 12.04 LTS (precise) - medium.	2013-02-12
oval:com.ubuntu.trusty:def:20130269000	V	CVE-2013-0269 on Ubuntu 14.04 LTS (trusty) - medium.	2013-02-12
oval:com.ubuntu.xenial:def:20130269000	V	CVE-2013-0269 on Ubuntu 16.04 LTS (xenial) - medium.	2013-02-12

BACK