CVE-2013-0269: Denial of Service and Unsafe Object Creation Vulnerability

February 12, 2013 (updated December 8, 2017)

When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The same technique can be used to create objects in a target system that act like internal objects. These “act alike” objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails.

References

groups.google.com/forum/?fromgroups=

Detect and mitigate CVE-2013-0269 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →