{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-02-11T00:00:00", "descriptions": [{"lang": "en", "value": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-08T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2013:0701", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"name": "openSUSE-SU-2013:0603", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"}, {"name": "APPLE-SA-2013-10-22-5", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"}, {"name": "SSA:2013-075-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE"], "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862"}, {"name": "52774", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52774"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"}, {"name": "[rubyonrails-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain"}, {"name": "90074", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/90074"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://puppet.com/security/cve/cve-2013-0269"}, {"name": "52902", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52902"}, {"name": "RHSA-2013:0686", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"name": "57899", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/57899"}, {"name": "[oss-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"}, {"name": "[oss-security] 20130211 Patch update for [CVE-2013-0269]", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"}, {"name": "USN-1733-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"name": "SUSE-SU-2013:0609", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"}, {"name": "RHSA-2013:1028", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"}, {"name": "json-ruby-security-bypass(82010)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"}, {"name": "RHSA-2013:1147", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"}, {"name": "52075", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52075"}, {"name": "SUSE-SU-2013:0647", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T14:18:09.563Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2013:0701", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"name": "openSUSE-SU-2013:0603", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"}, {"name": "APPLE-SA-2013-10-22-5", "tags": ["vendor-advisory", "x_refsource_APPLE", "x_transferred"], "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"}, {"name": "SSA:2013-075-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE", "x_transferred"], "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862"}, {"name": "52774", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/52774"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"}, {"name": "[rubyonrails-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain"}, {"name": "90074", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/90074"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://puppet.com/security/cve/cve-2013-0269"}, {"name": "52902", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/52902"}, {"name": "RHSA-2013:0686", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"name": "57899", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/57899"}, {"name": "[oss-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269]", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"}, {"name": "[oss-security] 20130211 Patch update for [CVE-2013-0269]", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"}, {"name": "USN-1733-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"name": "SUSE-SU-2013:0609", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"}, {"name": "RHSA-2013:1028", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"}, {"name": "json-ruby-security-bypass(82010)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"}, {"name": "RHSA-2013:1147", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"}, {"name": "52075", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/52075"}, {"name": "SUSE-SU-2013:0647", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-0269", "datePublished": "2013-02-13T01:00:00", "dateReserved": "2012-12-06T00:00:00", "dateUpdated": "2024-08-06T14:18:09.563Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "1A6068E1-1BB1-4FBE-A4DA-C303B2E65E1D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "6572D2E9-1D09-4245-BEB3-A3BCF3C4455C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "56DF3383-1E82-4FA0-B92F-1C96DAB5C12C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "3EFA5025-DFED-4540-B773-5777ACE013C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "9EB792B2-FF20-4C39-B2DD-171E6B8317F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "A65B497E-F658-4E6D-810C-97C56FF0AAF1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "6D8A1269-441E-48E1-A0F2-949C49FFAEC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "DC0420E6-84C8-4210-AB79-875564741330", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "73665EA1-E35D-469D-8898-163FB8DF34AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "0AB8EC9A-8CC4-4A71-A026-6FB98DA1A35F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "530A8D3B-AFF0-4316-A4B5-B222A73CD9E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.6:*:*:*:*:*:*:*", "matchCriteriaId": "89AE459A-4169-47F4-9B40-344002352C61", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.6.7:*:*:*:*:*:*:*", "matchCriteriaId": "9FC8E7A7-7A94-497E-B8C2-B4A0CBD4BD7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "D696FD5D-3DAD-4AAB-A3C7-1865739922D8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "88A3B72B-5784-4169-88DA-9EF51C5CE907", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "0B59F779-5E90-40E3-ABC8-58A7EC3C7E17", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.3:*:*:*:*:*:*:*", "matchCriteriaId": "979B9AA8-3E70-4BCF-8C2F-3C872AF8A7B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.4:*:*:*:*:*:*:*", "matchCriteriaId": "7DCB75C6-3E7A-41C7-8513-8766C4ED73F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.5:*:*:*:*:*:*:*", "matchCriteriaId": "717A9E8C-9E3E-4F55-8CD4-D9E6CF670C5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubygems:json_gem:1.7.6:*:*:*:*:*:*:*", "matchCriteriaId": "52D8BF48-03A7-4EFA-B626-A92C8570CB86", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""}, {"lang": "es", "value": "El JSON gem v1.7.x anteriores a 1.7.7, v1.6.x anteriores a v1.6.8, y v1.5.x anteriores a v1.5.5 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de recursos) o evitar el mecanismo de protecci\u00f3n de asignaci\u00f3n masiva a trav\u00e9s de un documento JSON manipulado que lanza la creaci\u00f3n de s\u00edmbolos arbitrarios en Ruby o ciertos objetos internos, como se demostr\u00f3 como se ha demostrado mediante la realizaci\u00f3n de un ataque de inyecci\u00f3n SQL en Ruby on Rails, tambi\u00e9n conocido como \"Vulnerabilidad de creaci\u00f3n de objetos no seguro\"."}], "id": "CVE-2013-0269", "lastModified": "2017-12-09T02:29:01.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-02-13T01:55:05.107", "references": [{"source": "secalert@redhat.com", "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-0701.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-1028.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52075"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/52774"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/52902"}, {"source": "secalert@redhat.com", "url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2013/02/11/7"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2013/02/11/8"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/90074"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/57899"}, {"source": "secalert@redhat.com", "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-1733-1"}, {"source": "secalert@redhat.com", "url": "http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82010"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain"}, {"source": "secalert@redhat.com", "url": "https://puppet.com/security/cve/cve-2013-0269"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Ben Murphy and Thomas Hollstegge (Zweitag) as the original reporters.", "affected_release": [{"advisory": "RHSA-2013:1028", "cpe": "cpe:/a:redhat:fuse_esb_enterprise:7.1.0", "product_name": "Fuse ESB Enterprise 7.1.0", "release_date": "2013-07-09T00:00:00Z"}, {"advisory": "RHSA-2013:1185", "cpe": "cpe:/a:redhat:jboss_fuse:6.0.0", "product_name": "Red Hat JBoss Fuse 6.0", "release_date": "2013-08-29T00:00:00Z"}, {"advisory": "RHSA-2013:1147", "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3", "product_name": "Red Hat JBoss SOA Platform 5.3", "release_date": "2013-08-08T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "candlepin-0:0.7.24-1.el6_3", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "katello-0:1.2.1.1-1h.el6_4", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "katello-configure-0:1.2.3.1-4h.el6_4", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-actionpack-1:3.0.10-12.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-activemodel-0:3.0.10-3.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-delayed_job-0:2.1.4-3.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-json-0:1.7.3-2.el6_3", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-rack-1:1.3.0-4.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-rails_warden-0:0.5.5-2.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "rubygem-rdoc-0:3.8-6.el6cf", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0686", "cpe": "cpe:/a:rhel_sam:1.2::el6", "package": "thumbslug-0:0.0.28.1-1.el6_4", "product_name": "Red Hat Subscription Asset Manager 1.2", "release_date": "2013-03-26T00:00:00Z"}, {"advisory": "RHSA-2013:0701", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "ruby193-ruby-0:1.9.3.327-28.el6", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-02T00:00:00Z"}, {"advisory": "RHSA-2013:0701", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "rubygem-json-0:1.7.3-2.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-02T00:00:00Z"}, {"advisory": "RHSA-2013:0701", "cpe": "cpe:/a:redhat:openshift:1::el6", "package": "rubygem-rdoc-0:3.8-9.el6op", "product_name": "RHEL 6 Version of OpenShift Enterprise", "release_date": "2013-04-02T00:00:00Z"}], "bugzilla": {"description": "rubygem-json: Denial of Service and SQL Injection", "id": "909029", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=909029"}, "csaw": false, "cvss": {"cvss_base_score": "7.5", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-502", "details": ["The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""], "name": "CVE-2013-0269", "package_state": [{"cpe": "cpe:/a:cloudforms_tools:1", "fix_state": "Will not fix", "package_name": "rubygem-json", "product_name": "Red Hat CloudForms Tools 1"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Affected", "package_name": "rubygem-json", "product_name": "Red Hat Enterprise MRG 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "dsp-5.3.0", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-entesb-7", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "others", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3", "fix_state": "Will not fix", "package_name": "jruby", "product_name": "Red Hat JBoss SOA Platform 4.3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Affected", "package_name": "jruby", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-tools", "product_name": "Red Hat Satellite 6"}], "public_date": "2013-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-0269\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-0269\nhttp://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/"], "statement": "Red Hat Satellite tools ship RubyGem Json 1.4.6 which is earlier than affected 1.5.5 version however, this version of RubyGem is not affected to the flaw. We may update RubyGem in a future release.", "threat_severity": "Moderate"}