VYPR
High severityNVD Advisory· Published Jan 13, 2013· Updated Jun 16, 2026

CVE-2013-0156

CVE-2013-0156

Description

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
actionpackRubyGems
< 2.3.152.3.15
actionpackRubyGems
>= 3.0.0, < 3.0.193.0.19
actionpackRubyGems
>= 3.1.0, < 3.1.103.1.10
actionpackRubyGems
>= 3.2.0, < 3.2.113.2.11

Affected products

6

Patches

Vulnerability mechanics

References

21

News mentions

0

No linked articles in our index yet.