RubySec

Providing security resources for the Ruby community

CVE-2013-1854 (activerecord): CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

SEVERITY

CVSS v2: 7.8 (High)

UNAFFECTED VERSIONS

  • ~> 3.0.0

PATCHED VERSIONS

  • ~> 2.3.18
  • ~> 3.1.12
  • >= 3.2.13

DESCRIPTION

The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected.