CVE-2013-1854

Ruby on Rails 2.3.x < 2.3.18, 3.1.x < 3.1.12, 3.2.x < 3.2.13 - Denial of Service via Active Record Query Processing

Title source: llm
STIX 2.1

Description

The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.

References (12)

Core 12
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1863.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0699.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT5784
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

Scores

EPSS 0.0180
EPSS Percentile 83.0%

Details

CWE
CWE-20
Status published
Products (30)
redhat/enterprise_linux 6.0
rubygems/activerecord 2.3.0 - 2.3.18RubyGems
rubyonrails/rails 2.3.0
rubyonrails/rails 2.3.1
rubyonrails/rails 2.3.2
rubyonrails/rails 2.3.3
rubyonrails/rails 2.3.4
rubyonrails/rails 2.3.9
rubyonrails/rails 2.3.10
rubyonrails/rails 2.3.11
... and 20 more
Published Mar 19, 2013
Tracked Since Feb 18, 2026