The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0686.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0701.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-1028.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-1147.html cve-icon cve-icon
http://secunia.com/advisories/52075 cve-icon cve-icon
http://secunia.com/advisories/52774 cve-icon cve-icon
http://secunia.com/advisories/52902 cve-icon cve-icon
http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed cve-icon cve-icon
http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2013/02/11/7 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2013/02/11/8 cve-icon cve-icon
http://www.osvdb.org/90074 cve-icon cve-icon
http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ cve-icon
http://www.securityfocus.com/bid/57899 cve-icon cve-icon
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1733-1 cve-icon cve-icon
http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection cve-icon cve-icon
https://exchange.xforce.ibmcloud.com/vulnerabilities/82010 cve-icon cve-icon
https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2013-0269 cve-icon
https://puppet.com/security/cve/cve-2013-0269 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2013-0269 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-06T14:18:09.563Z

Reserved: 2012-12-06T00:00:00

Link: CVE-2013-0269

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2013-02-13T01:55:05.107

Modified: 2025-04-11T00:51:21.963

Link: CVE-2013-0269

cve-icon Redhat

Severity : Moderate

Publid Date: 2013-02-11T00:00:00Z

Links: CVE-2013-0269 - Bugzilla

cve-icon OpenCVE Enrichment

No data.