ADVISORIES
- CVE-2013-1854 (NVD)
- GHSA-3crr-9vmg-864v
- OSVDB-91453
GEM
FRAMEWORK
SEVERITY
CVSS v2.0: 7.8 (High)
UNAFFECTED VERSIONS
- ~> 3.0.0
PATCHED VERSIONS
- ~> 2.3.18
- ~> 3.1.12
- >= 3.2.13
DESCRIPTION
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected.