{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-02-11T00:00:00", "descriptions": [{"lang": "en", "value": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-08T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2013:0701", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"name": "openSUSE-SU-2013:0603", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"}, {"name": "APPLE-SA-2013-10-22-5", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"}, {"name": "SSA:2013-075-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE"], "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862"}, {"name": "52774", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52774"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"}, {"name": "[rubyonrails-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain"}, {"name": "90074", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/90074"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://puppet.com/security/cve/cve-2013-0269"}, {"name": "52902", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52902"}, {"name": "RHSA-2013:0686", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"name": "57899", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/57899"}, {"name": "[oss-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"}, {"name": "[oss-security] 20130211 Patch update for [CVE-2013-0269]", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"}, {"name": "USN-1733-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"name": "SUSE-SU-2013:0609", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"}, {"name": "RHSA-2013:1028", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"}, {"name": "json-ruby-security-bypass(82010)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"}, {"name": "RHSA-2013:1147", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"}, {"name": "52075", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52075"}, {"name": "SUSE-SU-2013:0647", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-0269", "datePublished": "2013-02-13T01:00:00", "dateReserved": "2012-12-06T00:00:00", "dateUpdated": "2017-12-08T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "1A6068E1-1BB1-4FBE-A4DA-C303B2E65E1D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "6572D2E9-1D09-4245-BEB3-A3BCF3C4455C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "56DF3383-1E82-4FA0-B92F-1C96DAB5C12C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "3EFA5025-DFED-4540-B773-5777ACE013C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "9EB792B2-FF20-4C39-B2DD-171E6B8317F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "A65B497E-F658-4E6D-810C-97C56FF0AAF1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "6D8A1269-441E-48E1-A0F2-949C49FFAEC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "DC0420E6-84C8-4210-AB79-875564741330", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "73665EA1-E35D-469D-8898-163FB8DF34AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "0AB8EC9A-8CC4-4A71-A026-6FB98DA1A35F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "530A8D3B-AFF0-4316-A4B5-B222A73CD9E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.6:*:*:*:*:*:*:*", "matchCriteriaId": "89AE459A-4169-47F4-9B40-344002352C61", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.7:*:*:*:*:*:*:*", "matchCriteriaId": "9FC8E7A7-7A94-497E-B8C2-B4A0CBD4BD7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "D696FD5D-3DAD-4AAB-A3C7-1865739922D8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "88A3B72B-5784-4169-88DA-9EF51C5CE907", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "0B59F779-5E90-40E3-ABC8-58A7EC3C7E17", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.3:*:*:*:*:*:*:*", "matchCriteriaId": "979B9AA8-3E70-4BCF-8C2F-3C872AF8A7B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.4:*:*:*:*:*:*:*", "matchCriteriaId": "7DCB75C6-3E7A-41C7-8513-8766C4ED73F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.5:*:*:*:*:*:*:*", "matchCriteriaId": "717A9E8C-9E3E-4F55-8CD4-D9E6CF670C5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.6:*:*:*:*:*:*:*", "matchCriteriaId": "52D8BF48-03A7-4EFA-B626-A92C8570CB86", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""}, {"lang": "es", "value": "El JSON gem v1.7.x anteriores a 1.7.7, v1.6.x anteriores a v1.6.8, y v1.5.x anteriores a v1.5.5 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de recursos) o evitar el mecanismo de protecci\u00f3n de asignaci\u00f3n masiva a trav\u00e9s de un documento JSON manipulado que lanza la creaci\u00f3n de s\u00edmbolos arbitrarios en Ruby o ciertos objetos internos, como se demostr\u00f3 como se ha demostrado mediante la realizaci\u00f3n de un ataque de inyecci\u00f3n SQL en Ruby on Rails, tambi\u00e9n conocido como \"Vulnerabilidad de creaci\u00f3n de objetos no seguro\"."}], "id": "CVE-2013-0269", "lastModified": "2017-12-09T02:29:01.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-02-13T01:55:05.107", "references": [{"source": "secalert@redhat.com", "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52075"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/52774"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/52902"}, {"source": "secalert@redhat.com", "url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/90074"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/57899"}, {"source": "secalert@redhat.com", "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"source": "secalert@redhat.com", "url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain"}, {"source": "secalert@redhat.com", "url": "https://puppet.com/security/cve/cve-2013-0269"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}