{ "threat_severity" : "Moderate", "public_date" : "2013-02-11T00:00:00Z", "bugzilla" : { "description" : "rubygem-json: Denial of Service and SQL Injection", "id" : "909029", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=909029" }, "cvss" : { "cvss_base_score" : "7.5", "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\"" ], "statement" : "Red Hat Satellite tools ship RubyGem Json 1.4.6 which is earlier than affected 1.5.5 version however, this version of RubyGem is not affected to the flaw. We may update RubyGem in a future release.", "acknowledgement" : "Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Ben Murphy and Thomas Hollstegge (Zweitag) as the original reporters.", "affected_release" : [ { "product_name" : "Fuse ESB Enterprise 7.1.0", "release_date" : "2013-07-09T00:00:00Z", "advisory" : "RHSA-2013:1028", "cpe" : "cpe:/a:redhat:fuse_esb_enterprise:7.1.0" }, { "product_name" : "Red Hat JBoss Fuse 6.0", "release_date" : "2013-08-29T00:00:00Z", "advisory" : "RHSA-2013:1185", "cpe" : "cpe:/a:redhat:jboss_fuse:6.0.0" }, { "product_name" : "Red Hat JBoss SOA Platform 5.3", "release_date" : "2013-08-08T00:00:00Z", "advisory" : "RHSA-2013:1147", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "candlepin-0:0.7.24-1.el6_3" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "katello-0:1.2.1.1-1h.el6_4" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "katello-configure-0:1.2.3.1-4h.el6_4" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-actionpack-1:3.0.10-12.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-activemodel-0:3.0.10-3.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-delayed_job-0:2.1.4-3.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-json-0:1.7.3-2.el6_3" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-rack-1:1.3.0-4.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-rails_warden-0:0.5.5-2.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-rdoc-0:3.8-6.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "thumbslug-0:0.0.28.1-1.el6_4" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-02T00:00:00Z", "advisory" : "RHSA-2013:0701", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-ruby-0:1.9.3.327-28.el6" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-02T00:00:00Z", "advisory" : "RHSA-2013:0701", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "rubygem-json-0:1.7.3-2.el6op" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-02T00:00:00Z", "advisory" : "RHSA-2013:0701", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "rubygem-rdoc-0:3.8-9.el6op" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise MRG 2", "fix_state" : "Affected", "package_name" : "rubygem-json", "cpe" : "cpe:/a:redhat:enterprise_mrg:2" }, { "product_name" : "Red Hat JBoss SOA Platform 4", "fix_state" : "Will not fix", "package_name" : "jruby", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:4" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Affected", "package_name" : "jruby", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite-tools", "cpe" : "cpe:/a:redhat:satellite:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-0269\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-0269\nhttp://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/" ], "name" : "CVE-2013-0269", "csaw" : false }