CVE-2013-1800
Description
The crack gem 0.3.1 and earlier for Ruby allows object injection and arbitrary code execution via improper restriction of YAML and Symbol type conversions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The crack gem 0.3.1 and earlier for Ruby allows object injection and arbitrary code execution via improper restriction of YAML and Symbol type conversions.
Vulnerability
The crack gem (versions 0.3.1 and earlier) for Ruby fails to properly restrict casts of string values when parsing XML or other data. This allows YAML type conversion and Symbol type conversion, enabling object injection attacks. The vulnerability is similar to CVE-2013-0156. [1][2]
Exploitation
An attacker can exploit this by providing crafted input that triggers YAML or Symbol type conversion. No authentication is required; the attacker only needs to send a malicious request to an application using Action Pack with crack gem. The exploit can be performed remotely. [1][2]
Impact
Successful exploitation can lead to arbitrary code execution or denial of service (memory and CPU consumption). The attacker can inject arbitrary objects, potentially gaining full control of the application. [1][2]
Mitigation
The fix was implemented in commit e3da1212a1f84a898ee3601336d1dbbf118fb5f6, which removed support for symbol and yaml type conversions. Users should upgrade to a patched version of the crack gem. The openSUSE security advisory [1] and Red Hat bugzilla [2] provide details. No workaround is mentioned; upgrading is recommended. [1][2][3]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
crackRubyGems | < 0.3.2 | 0.3.2 |
Affected products
5cpe:2.3:a:john_nunemaker:crack:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:john_nunemaker:crack:*:*:*:*:*:*:*:*range: <=0.3.1
- cpe:2.3:a:john_nunemaker:crack:0.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:john_nunemaker:crack:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:john_nunemaker:crack:0.3.0:*:*:*:*:*:*:*
Patches
1e3da1212a1f8Remove support for symbol and yaml.
2 files changed · +11 −20
lib/crack/xml.rb+0 −2 modified@@ -40,9 +40,7 @@ def self.available_typecasts=(obj) self.typecasts["decimal"] = lambda{|v| v.nil? ? nil : BigDecimal(v.to_s)} self.typecasts["double"] = lambda{|v| v.nil? ? nil : v.to_f} self.typecasts["float"] = lambda{|v| v.nil? ? nil : v.to_f} - self.typecasts["symbol"] = lambda{|v| v.nil? ? nil : v.to_sym} self.typecasts["string"] = lambda{|v| v.to_s} - self.typecasts["yaml"] = lambda{|v| v.nil? ? nil : YAML.load(v)} self.typecasts["base64Binary"] = lambda{|v| v.unpack('m').first } self.available_typecasts = self.typecasts.keys
test/xml_test.rb+11 −18 modified@@ -65,10 +65,10 @@ class XmlTest < Test::Unit::TestCase } } } - + Crack::XML.parse(xml).should == hash end - + context "Parsing xml with text and attributes" do setup do xml =<<-XML @@ -90,20 +90,20 @@ class XmlTest < Test::Unit::TestCase } } end - + should "be parse attributes for text node if present" do @data['opt']['user'][0].attributes.should == {'login' => 'grep'} end - + should "default attributes to empty hash if not present" do @data['opt']['user'][1].attributes.should == {} end - + should "add 'attributes' accessor methods to parsed instances of String" do @data['opt']['user'][0].respond_to?(:attributes).should be(true) @data['opt']['user'][0].respond_to?(:attributes=).should be(true) end - + should "not add 'attributes' accessor methods to all instances of String" do "some-string".respond_to?(:attributes).should be(false) "some-string".respond_to?(:attributes=).should be(false) @@ -149,7 +149,7 @@ class XmlTest < Test::Unit::TestCase Crack::XML.parse(xml)['tag'].should =~ Regexp.new(k) end end - + should "should unescape XML entities in attributes" do xml_entities.each do |k,v| xml = "<tag attr='Some content #{v}'></tag>" @@ -226,7 +226,6 @@ class XmlTest < Test::Unit::TestCase <approved type="boolean"></approved> <written-on type="date"></written-on> <viewed-at type="datetime"></viewed-at> - <content type="yaml"></content> <parent-id></parent-id> </topic> EOT @@ -237,7 +236,6 @@ class XmlTest < Test::Unit::TestCase 'approved' => nil, 'written_on' => nil, 'viewed_at' => nil, - 'content' => nil, 'parent_id' => nil } Crack::XML.parse(topic_xml)["topic"].should == expected_topic_hash @@ -254,7 +252,6 @@ class XmlTest < Test::Unit::TestCase <replies-close-in type="integer">2592000000</replies-close-in> <written-on type="date">2003-07-16</written-on> <viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at> - <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n should_have_underscores: true\n</content> <author-email-address>david@loudthinking.com</author-email-address> <parent-id></parent-id> <ad-revenue type="decimal">1.5</ad-revenue> @@ -272,15 +269,11 @@ class XmlTest < Test::Unit::TestCase 'replies_close_in' => 2592000000, 'written_on' => Date.new(2003, 7, 16), 'viewed_at' => Time.utc(2003, 7, 16, 9, 28), - # Changed this line where the key is :message. The yaml specifies this as a symbol, and who am I to change what you specify - # The line in ActiveSupport is - # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] }, - 'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] }, 'author_email_address' => "david@loudthinking.com", 'parent_id' => nil, 'ad_revenue' => BigDecimal("1.50"), 'optimum_viewing_angle' => 135.0, - 'resident' => :yes + 'resident' => 'yes', } Crack::XML.parse(topic_xml)["topic"].each do |k,v| @@ -487,13 +480,13 @@ class XmlTest < Test::Unit::TestCase Crack::XML.parse(xml_string)['person'].should == expected_hash end - + should "handle an empty xml string" do Crack::XML.parse('').should == {} end - + # As returned in the response body by the unfuddle XML API when creating objects should "handle an xml string containing a single space" do Crack::XML.parse(' ').should == {} end -end \ No newline at end of file +end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6nvdExploitPatchWEB
- secunia.com/advisories/52897nvdVendor Advisory
- github.com/advisories/GHSA-m7fq-cf8q-35q7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-1800ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2013-04/msg00003.htmlnvdWEB
- bugzilla.novell.com/show_bug.cginvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/crack/CVE-2013-1800.ymlghsaWEB
- support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediatelynvdWEB
- web.archive.org/web/20130203232028/https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediatelyghsaWEB
News mentions
0No linked articles in our index yet.