Moderate severityNVD Advisory· Published Mar 19, 2013· Updated Jun 16, 2026
CVE-2013-1854
CVE-2013-1854
Description
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | >= 2.3.0, < 2.3.18 | 2.3.18 |
activerecordRubyGems | >= 3.1.0, < 3.1.12 | 3.1.12 |
activerecordRubyGems | >= 3.2.0, < 3.2.13 | 3.2.13 |
Affected products
63cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*+ 58 more
- cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.17:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
20- github.com/advisories/GHSA-3crr-9vmg-864vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-1854ghsaADVISORY
- lists.apple.com/archives/security-announce/2013/Jun/msg00000.htmlnvdWEB
- lists.apple.com/archives/security-announce/2013/Oct/msg00006.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2013-04/msg00070.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2013-04/msg00071.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2013-04/msg00075.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2013-04/msg00078.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2013-04/msg00079.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0699.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-1863.htmlnvdWEB
- support.apple.com/kb/HT5784nvdWEB
- weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-releasedghsaWEB
- access.redhat.com/errata/RHSA-2013:0699ghsaWEB
- access.redhat.com/errata/RHSA-2014:1863ghsaWEB
- access.redhat.com/security/cve/CVE-2013-1854ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-1854.ymlghsaWEB
- groups.google.com/group/ruby-security-ann/msg/34e0d780b04308denvdWEB
- weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/nvd
News mentions
0No linked articles in our index yet.