CVE-2013-0285

nori_gem 1.0.x < 1.0.3, 1.1.x < 1.1.4, 2.0.x < 2.0.2 - Remote Code Execution via String Cast Injection

Title source: llm

Description

The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

References (2)

Core 2

Core References

Mailing List mailing-list x_refsource_mlist

http://seclists.org/oss-sec/2013/q1/304

Various Sources x_refsource_misc

https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately

Scores

EPSS 0.0150

EPSS Percentile 81.4%

Details

CWE

CWE-20

Status published

Products (10)

nori_gem_project/nori_gem 2.0.0

nori_gem_project/nori_gem 2.0.1

nori_gem_project/nori_gem 1.1.0

nori_gem_project/nori_gem 1.1.1

nori_gem_project/nori_gem 1.1.2

nori_gem_project/nori_gem 1.1.3

nori_gem_project/nori_gem 1.0.0

nori_gem_project/nori_gem 1.0.1

nori_gem_project/nori_gem 1.0.2

rubygems/nori 2.0.0 - 2.0.2RubyGems

Published Apr 09, 2013

Tracked Since Feb 18, 2026