FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2013-1854

This CVE name corresponds to:

Entered Topic
2013-04-10 rubygem-rails -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2013-1854 at cve.mitre.org

Details

Type Candidate
Name CVE-2013-1854
Phase Assigned(20130219)

Description

The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.

References

Source Reference
MLIST [ruby-security-ann] 20130318 [CVE-2013-1854] Symbol DoS vulnerability in Active Record
CONFIRM http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
CONFIRM http://support.apple.com/kb/HT5784
APPLE APPLE-SA-2013-06-04-1
APPLE APPLE-SA-2013-10-22-5
REDHAT RHSA-2013:0699
REDHAT RHSA-2014:1863
SUSE openSUSE-SU-2013:0659
SUSE openSUSE-SU-2013:0660
SUSE openSUSE-SU-2013:0664
SUSE openSUSE-SU-2013:0667
SUSE openSUSE-SU-2013:0668

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.