CVE-2013-1800

crack < 0.3.1 - Remote Code Execution via String Cast Injection

Title source: llm
STIX 2.1

Description

The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Scores

EPSS 0.0495
EPSS Percentile 91.1%

Details

CWE
CWE-264
Status published
Products (5)
john_nunemaker/crack 0.1.8
john_nunemaker/crack 0.2.0
john_nunemaker/crack 0.3.0
john_nunemaker/crack < 0.3.1
rubygems/crack 0 - 0.3.2RubyGems
Published Apr 09, 2013
Tracked Since Feb 18, 2026