Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в Ruby
Опубликовано:24 февраля 2013 г.
Источник:
SecurityVulns ID:12900
Тип:библиотека
Уровень опасности:
6/10
Описание:Межсайтовый скрипинг, обход защиты.
Затронутые продукты:RUBY : ruby 1.9
CVE:CVE-2013-0269 (The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability.")
 CVE-2013-0256 (darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.)
 CVE-2012-5371 (Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.)
Оригинальный текстdocumentUBUNTU, [USN-1733-1] Ruby vulnerabilities (24.02.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород