NVD

Id
36542  
Name
CVE-2013-0175  
Description
multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.  
Reject
 
CVSS Version
2  
CVSS Score
7.5  
Severity
High  
CVSS Base Score
7.5  
CVSS Impact Subscore
6.4  
CVSS Exploit Subscore
10  
CVSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:P)  
Pub Date
2017-01-18  
Published
2013-04-25  
Modified Date
2013-04-26  
Seq
2013-0175  

Actions

Related NVD References

Id NVD Id NVD No. Reference Actions
186652 36542 CVE-2013-0175 [oss-security] 20130111 Re: CVE request for multi_xml ruby gem (has same problem as CVE-2013-0156)  View
186653 36542 CVE-2013-0175 https://gist.github.com/nate/d7f6d9f4925f413621aa  View
186654 36542 CVE-2013-0175 https://github.com/sferik/multi_xml/pull/34  View
186655 36542 CVE-2013-0175 https://groups.google.com/forum/?fromgroups=#!topic/ruby-grape/fthDkMgIOa0  View
186656 36542 CVE-2013-0175 https://news.ycombinator.com/item?id=5040457  View

Related JVN

Id Name Title Summary Cveinfo Name Cveinfo Id Nvdinfo Name Nvdinfo Id Cvssv2 Cvssv3 Jvnurl Published Date Last Updated Date Actions
20906 JVNDB-2013-002481 Grape などの製品で使用される Ruby 用 multi_xml gem におけるオブジェクトインジェクション攻撃を誘発される脆弱性 Grape およびその他の製品で使用される Ruby 用 multi_xml gem は、文字列の値のキャストを適切に制限しないため、オブジェクトインジェクション攻撃を誘発される、および任意のコードを実行される、またはサービス運用妨害 (メモリおよび CPU 資源の消費) 状態にされる脆弱性が存在します。 CVE-2013-0175 60117 CVE-2013-0175 36542 7.5 http://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-002481.html 2013-01-10 2013-04-30 View