CVE-2013-1800 Common Vulnerabilities and Exposures

Upstream information

CVE-2013-1800 at MITRE

Description

The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector	Network
Access Complexity	Low
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	Partial
Availability Impact	Partial

SUSE Bugzilla entry: 804721 [RESOLVED / FIXED]

SUSE Security Advisories:

SUSE-SU-2013:1036-1, published Mon Jun 17 15:04:10 MDT 2013

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Studio Onsite 1.3	`susestudio >= 1.3.1.0-0.5.2` `susestudio-bundled-packages >= 1.3.1.0-0.5.2` `susestudio-common >= 1.3.1.0-0.5.2` `susestudio-runner >= 1.3.1.0-0.5.2` `susestudio-sid >= 1.3.1.0-0.5.2` `susestudio-ui-server >= 1.3.1.0-0.5.2`	Patchnames: slestso13-susestudio

SUSE Timeline for this CVE

CVE page created: Fri Jun 28 09:02:55 2013
CVE page last modified: Fri Oct 13 18:59:24 2023