VYPR
← All advisories
High severityNVD Advisory· Published Apr 9, 2013· Updated Apr 29, 2026

CVE-2013-0285

CVE-2013-0285

Description

The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
noriRubyGems
>= 2.0.0, < 2.0.22.0.2
noriRubyGems
>= 1.1.0, < 1.1.41.1.4
noriRubyGems
>= 1.0.0, < 1.0.31.0.3

Affected products

9
  • Nori Gem Project/Nori Gem9 versions
    cpe:2.3:a:nori_gem_project:nori_gem:1.0.0:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:nori_gem_project:nori_gem:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:nori_gem_project:nori_gem:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:nori_gem_project:nori_gem:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:nori_gem_project:nori_gem:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:nori_gem_project:nori_gem:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:nori_gem_project:nori_gem:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:nori_gem_project:nori_gem:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:nori_gem_project:nori_gem:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:nori_gem_project:nori_gem:2.0.1:*:*:*:*:*:*:*

Patches

6
4bcf59abdcec

fixed spec for remote code execution vulnerability

https://github.com/savonrb/norirubiiiJan 9, 2013via ghsa
commit
1 file changed · +5 3
  • spec/nori/nori_spec.rb+5 3 modified
    @@ -395,7 +395,8 @@
           'approved'   => nil,
           'written_on' => nil,
           'viewed_at'  => nil,
-          'content'    => nil,
+          # don't execute arbitary YAML code
+          'content'    => { "@type" => "yaml" },
           'parent_id'  => nil,
           'nil_true'   => nil,
           'namespaced' => nil
@@ -435,12 +436,13 @@
           # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
           # The line in ActiveSupport is
           # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-          'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+          'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n",
           'author_email_address' => "david@loudthinking.com",
           'parent_id' => nil,
           'ad_revenue' => BigDecimal("1.50"),
           'optimum_viewing_angle' => 135.0,
-          'resident' => :yes
+          # don't create symbols from arbitary remote code
+          'resident' => "yes"
         }
 
         parse(topic_xml)["topic"].each do |k,v|
c3fdce7a2d26

fixed spec for remote code execution vulnerability

https://github.com/savonrb/norirubiiiJan 9, 2013via ghsa
commit
1 file changed · +5 3
  • spec/nori/nori_spec.rb+5 3 modified
    @@ -367,7 +367,8 @@
           'approved'   => nil,
           'written_on' => nil,
           'viewed_at'  => nil,
-          'content'    => nil,
+          # don't execute arbitary YAML code
+          'content'    => { "@type" => "yaml" },
           'parent_id'  => nil,
           'nil_true'   => nil,
           'namespaced' => nil
@@ -407,12 +408,13 @@
           # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
           # The line in ActiveSupport is
           # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-          'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+          'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n",
           'author_email_address' => "david@loudthinking.com",
           'parent_id' => nil,
           'ad_revenue' => BigDecimal("1.50"),
           'optimum_viewing_angle' => 135.0,
-          'resident' => :yes
+          # don't create symbols from arbitary remote code
+          'resident' => "yes"
         }
 
         parse(topic_xml)["topic"].each do |k,v|
c5e07f5c32e6

fixed spec for remote code execution vulnerability

https://github.com/savonrb/norirubiiiJan 9, 2013via ghsa
commit
1 file changed · +5 3
  • spec/nori/nori_spec.rb+5 3 modified
    @@ -369,7 +369,8 @@
           'approved'   => nil,
           'written_on' => nil,
           'viewed_at'  => nil,
-          'content'    => nil,
+          # don't execute arbitary YAML code
+          'content'    => { "@type" => "yaml" },
           'parent_id'  => nil,
           'nil_true'   => nil,
           'namespaced' => nil
@@ -409,12 +410,13 @@
           # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
           # The line in ActiveSupport is
           # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-          'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+          'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n",
           'author_email_address' => "david@loudthinking.com",
           'parent_id' => nil,
           'ad_revenue' => BigDecimal("1.50"),
           'optimum_viewing_angle' => 135.0,
-          'resident' => :yes
+          # don't create symbols from arbitary remote code
+          'resident' => "yes"
         }
 
         parse(topic_xml)["topic"].each do |k,v|
2ca6f8603e40

fixed YAML remote code execution vulnerability

https://github.com/savonrb/norirubiiiJan 9, 2013via ghsa
commit
2 files changed · +7 3
  • CHANGELOG.md+7 1 modified
    @@ -1,3 +1,9 @@
+== master
+
+* Fix for remote code execution bug. For more in-depth information, read about the
+  recent [Rails hotfix](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ).
+  Please make sure to upgrade now!
+
 == 1.0.2 (2011-07-04)
 
 * Fix: When specifying a custom formula to convert tags, XML attributes were ignored.
@@ -54,7 +60,7 @@
 
 == 0.2.1 (2011-05-15)
 
-* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.  
+* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
   This avoids problems with attributes and child nodes having the same name.
 
       <multiRef id="id1">
  • lib/nori/xml_utility_node.rb+0 2 modified
    @@ -52,9 +52,7 @@ def self.available_typecasts=(obj)
     self.typecasts["decimal"]       = lambda { |v| v.nil? ? nil : BigDecimal(v.to_s) }
     self.typecasts["double"]        = lambda { |v| v.nil? ? nil : v.to_f }
     self.typecasts["float"]         = lambda { |v| v.nil? ? nil : v.to_f }
-    self.typecasts["symbol"]        = lambda { |v| v.nil? ? nil : v.to_sym }
     self.typecasts["string"]        = lambda { |v| v.to_s }
-    self.typecasts["yaml"]          = lambda { |v| v.nil? ? nil : YAML.load(v) }
     self.typecasts["base64Binary"]  = lambda { |v| v.unpack('m').first }
 
     self.available_typecasts = self.typecasts.keys
818f5263b1d5

fixed YAML remote code execution vulnerability

https://github.com/savonrb/norirubiiiJan 9, 2013via ghsa
commit
2 files changed · +7 3
  • CHANGELOG.md+7 1 modified
    @@ -1,3 +1,9 @@
+# 2.0.2 (2013-01-09)
+
+* Fix for remote code execution bug. For more in-depth information, read about the
+  recent [Rails hotfix](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ).
+  Please make sure to upgrade now!
+
 # 2.0.1 (2012-12-28)
 
 * Fix: [#29](https://github.com/savonrb/nori/issues/29) Nori now properly parses XML
@@ -113,7 +119,7 @@ Please make sure to read the updated README for how to use the new version.
 
 ## 0.2.1 (2011-05-15)
 
-* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.  
+* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
   This avoids problems with attributes and child nodes having the same name.
 
       <multiRef id="id1">
  • lib/nori/xml_utility_node.rb+0 2 modified
    @@ -77,9 +77,7 @@ def self.available_typecasts=(obj)
     self.typecasts["decimal"]       = lambda { |v| v.nil? ? nil : BigDecimal(v.to_s) }
     self.typecasts["double"]        = lambda { |v| v.nil? ? nil : v.to_f }
     self.typecasts["float"]         = lambda { |v| v.nil? ? nil : v.to_f }
-    self.typecasts["symbol"]        = lambda { |v| v.nil? ? nil : v.to_sym }
     self.typecasts["string"]        = lambda { |v| v.to_s }
-    self.typecasts["yaml"]          = lambda { |v| v.nil? ? nil : YAML.load(v) }
     self.typecasts["base64Binary"]  = lambda { |v| v.unpack('m').first }
 
     self.available_typecasts = self.typecasts.keys
d9b68667249b

fixed YAML remote code execution vulnerability

https://github.com/savonrb/norirubiiiJan 9, 2013via ghsa
commit
2 files changed · +7 3
  • CHANGELOG.md+7 1 modified
    @@ -1,3 +1,9 @@
+## master
+
+* Fix for remote code execution bug. For more in-depth information, read about the
+  recent [Rails hotfix](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ).
+  Please make sure to upgrade now!
+
 ## 1.1.3 (2012-07-12)
 
 * Fix: Merged [pull request 21](https://github.com/rubiii/nori/pull/21) to fix an
@@ -77,7 +83,7 @@
 
 ## 0.2.1 (2011-05-15)
 
-* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.  
+* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
   This avoids problems with attributes and child nodes having the same name.
 
       <multiRef id="id1">
  • lib/nori/xml_utility_node.rb+0 2 modified
    @@ -77,9 +77,7 @@ def self.available_typecasts=(obj)
     self.typecasts["decimal"]       = lambda { |v| v.nil? ? nil : BigDecimal(v.to_s) }
     self.typecasts["double"]        = lambda { |v| v.nil? ? nil : v.to_f }
     self.typecasts["float"]         = lambda { |v| v.nil? ? nil : v.to_f }
-    self.typecasts["symbol"]        = lambda { |v| v.nil? ? nil : v.to_sym }
     self.typecasts["string"]        = lambda { |v| v.to_s }
-    self.typecasts["yaml"]          = lambda { |v| v.nil? ? nil : YAML.load(v) }
     self.typecasts["base64Binary"]  = lambda { |v| v.unpack('m').first }
 
     self.available_typecasts = self.typecasts.keys

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.