The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Affected configurations

Nvd

Node

john_nunemakercrackRange≤0.3.1

john_nunemakercrackMatch0.1.8

john_nunemakercrackMatch0.2.0

john_nunemakercrackMatch0.3.0

VendorProductVersionCPE
john_nunemakercrack*cpe:2.3:a:john_nunemaker:crack:*:*:*:*:*:*:*:*
john_nunemakercrack0.1.8cpe:2.3:a:john_nunemaker:crack:0.1.8:*:*:*:*:*:*:*
john_nunemakercrack0.2.0cpe:2.3:a:john_nunemaker:crack:0.2.0:*:*:*:*:*:*:*
john_nunemakercrack0.3.0cpe:2.3:a:john_nunemaker:crack:0.3.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
john_nunemaker	crack	*	cpe:2.3:a:john_nunemaker:crack::::::::
john_nunemaker	crack	0.1.8	cpe:2.3:a:john_nunemaker:crack:0.1.8:::::::*
john_nunemaker	crack	0.2.0	cpe:2.3:a:john_nunemaker:crack:0.2.0:::::::*
john_nunemaker	crack	0.3.0	cpe:2.3:a:john_nunemaker:crack:0.3.0:::::::*

References

lists.opensuse.org/opensuse-security-announce/2013-04/msg00003.html

secunia.com/advisories/52897

bugzilla.novell.com/show_bug.cgi?id=804721

bugzilla.redhat.com/show_bug.cgi?id=917236

github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6

support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately

prion 7

osv 9

cvelist 7

rubygems 4

github 7

debiancve 5

ubuntucve 5

nvd 7

openvas 41

gentoo 2

nessus 16

kitploit 2

suse 6

checkpoint_advisories 1

zdt 3

packetstorm 4

redhat 2

metasploit 5

cve 6

debian 2

exploitdb 3

saint 4

veracode 2

cert 2

seebug 2

threatpost 3

thn 2

gitlab 1

fedora 16

freebsd 2

ics 1

nmap 1

ibm 1

securityvulns 2

prion

Type confusion

2013-04-09 20:55:00

Type confusion

2013-01-13 22:55:00

Design/Logic Flaw

2013-04-09 20:55:00

osv

crack does not properly restrict casts of string values

2017-10-24 18:33:37

rails - insufficient input validation

2013-01-09 00:00:00

actionpack Improper Input Validation vulnerability

2017-10-24 18:33:37

cvelist

CVE-2013-1800

2013-04-09 20:00:00

CVE-2013-0156

2013-01-13 22:00:00

CVE-2013-0333

2013-01-30 11:00:00

rubygems

CVE-2013-1800 rubygem-crack: YAML parameter parsing vulnerability

2013-01-08 20:00:00

CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack

2013-01-07 20:00:00

CVE-2013-0333 rubygem-activesupport: json to yaml parsing

2013-01-27 20:00:00

github

crack does not properly restrict casts of string values

2017-10-24 18:33:37

actionpack Improper Input Validation vulnerability

2017-10-24 18:33:37

Improper Input Validation in multi_xml

2017-10-24 18:33:37

debiancve

CVE-2013-1800

2013-04-09 20:55:01

CVE-2013-0156

2013-01-13 22:55:00

CVE-2013-0333

2013-01-30 12:00:08

ubuntucve

CVE-2013-1800

2013-04-09 00:00:00

CVE-2013-0156

2013-01-13 00:00:00

CVE-2013-1802

2013-04-09 00:00:00

nvd

CVE-2013-1800

2013-04-09 20:55:01

CVE-2013-0156

2013-01-13 22:55:00

CVE-2013-0333

2013-01-30 12:00:08

openvas

Gentoo Security Advisory GLSA 201404-04

2015-09-29 00:00:00

Debian Security Advisory DSA 2604-1 (rails - insufficient input validation)

2013-01-09 00:00:00

Debian: Security Advisory (DSA-2604-1)

2013-01-08 00:00:00

gentoo

Crack: Arbitrary code execution

2014-04-07 00:00:00

Ruby on Rails: Multiple vulnerabilities

2014-12-14 00:00:00

nessus

GLSA-201404-04 : Crack: Arbitrary code execution

2014-04-08 00:00:00

Debian DSA-2604-1 : rails - insufficient input validation

2013-01-10 00:00:00

Debian DLA-172-1 : libextlib-ruby security update

2015-03-26 00:00:00

kitploit

Dawnscanner - Dawn Is A Static Analysis Security Scanner For Ruby Written Web Applications (Sinatra, Padrino And ROR Frameworks)

2018-12-11 20:43:00

[Nmap v6.40] Free Security Scanner For Network Exploration & Security Audits

2013-08-21 01:33:00

suse

Security update for rubygem-crack (important)

2013-04-03 20:13:42

ruby on rails to 2.3.16 (important)

2013-02-12 10:10:39

ruby on rails to 2.3.16 (important)

2013-02-12 11:04:29

checkpoint_advisories

Ruby on Rails XML Processor YAML Deserialization Code Execution (CVE-2013-0156)

2013-01-20 00:00:00

zdt

Action Pack Multiple Vulnerabilities

2013-01-09 00:00:00

Ruby On Rails XML Processor YAML Deserialization Code Execution

2013-01-11 00:00:00

Ruby on Rails JSON Processor YAML Deserialization Code Execution

2013-01-29 00:00:00

packetstorm

Ruby On Rails XML Processor YAML Deserialization Code Execution

2013-01-11 00:00:00

Ruby On Rails XML Processor YAML Deserialization Scanner

2024-09-01 00:00:00

Ruby on Rails JSON Processor YAML Deserialization Code Execution

2013-01-29 00:00:00

redhat

(RHSA-2013:0153) Critical: Ruby on Rails security update

2013-01-10 00:00:00

(RHSA-2013:0154) Critical: Ruby on Rails security update

2013-01-10 20:37:00

metasploit

Ruby on Rails XML Processor YAML Deserialization Code Execution

2013-01-10 05:10:13

Ruby on Rails XML Processor YAML Deserialization Scanner

2013-01-09 18:50:38

Ruby on Rails Known Secret Session Cookie Remote Code Execution

2013-07-26 18:23:18

cve

CVE-2013-0156

2013-01-13 22:55:00

CVE-2013-0285

2013-04-09 20:55:01

CVE-2013-0175

2013-04-25 23:55:01

debian

[SECURITY] [DLA 172-1] libextlib-ruby security update

2015-03-14 19:01:22

[SECURITY] [DSA 2604-1] rails security update

2013-01-09 19:17:20

exploitdb

Ruby on Rails - XML Processor YAML Deserialization Code Execution (Metasploit)

2013-01-10 00:00:00

Ruby on Rails - Known Secret Session Cookie Remote Code Execution (Metasploit)

2013-08-12 00:00:00

Ruby on Rails - JSON Processor YAML Deserialization Code Execution (Metasploit)

2013-01-29 00:00:00

saint

Ruby on Rails XML Processor YAML Deserialization

2013-02-15 00:00:00

Ruby on Rails XML Processor YAML Deserialization

2013-02-15 00:00:00

Ruby on Rails XML Processor YAML Deserialization

2013-02-15 00:00:00

veracode

Denial Of Service (DoS) Memory Consumption, Arbitrary Code Execution And Object-injection Attacks

2019-01-15 08:53:34

Arbitrary Code Execution, SQL Injection Attacks And Authentication Bypass

2019-01-15 08:54:45

cert

Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters

2013-01-08 00:00:00

Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability

2013-01-28 00:00:00

seebug

Ruby on Rails XML Processor YAML Deserialization Code Execution

2014-07-01 00:00:00

Ruby on Rails JSON Processor YAML Deserialization Code Execution

2013-02-03 00:00:00

threatpost

Exploit Code, Metasploit Module Out for Ruby on Rails Flaws

2013-01-10 15:01:40

Ruby on Rails Exploit Harvests IRC Botnet

2013-05-28 18:56:05

Some Versions of Ruby on Rails Vulnerable to New Parsing Attack

2013-01-29 17:47:51

thn

Ruby on Rails exploit could hijack unpatched servers for botnet

2013-05-31 03:53:00

Ruby on Rails exploit could hijack unpatched servers for botnet

2013-05-30 16:53:00

gitlab

Multiple vulnerabilities in parameter parsing in Action Pack

2013-01-13 00:00:00

fedora

[SECURITY] Fedora 18 Update: rubygem-actionpack-3.2.8-2.fc18

2013-01-20 03:40:48

[SECURITY] Fedora 17 Update: rubygem-activemodel-3.0.11-2.fc17

2013-01-23 01:53:38

[SECURITY] Fedora 16 Update: rubygem-activemodel-3.0.10-2.fc16

2013-01-23 01:34:00

freebsd

rubygem-rails -- multiple vulnerabilities

2013-01-08 00:00:00

puppet27 and puppet -- multiple vulnerabilities

2013-03-13 00:00:00

ics

Wonderware Intelligence Tableau Server Ruby on Rails Improper Input Validation (Update A)

2013-02-21 00:00:00

nmap

http-vuln-cve2013-0156 NSE Script

2013-04-25 03:15:33

ibm

Security Bulletin: IBM Security Network Intrusion Prevention System can be affected by vulnerabilities in Ruby on Rails (CVE-2012-2660, CVE-2012-2694, CVE-2013-0156, CVE-2012-6496, CVE-2012-3424, and CVE-2012-2695)

2021-01-25 20:13:51

securityvulns

APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001

2013-03-24 00:00:00

Apple Mac OS X multiple security vulnerabilities

2013-03-24 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

9.6

Confidence

High

EPSS

0.972

Percentile

99.9%

JSON

Related for CVE-2013-1800