CVE-2013-1854 — Active Record Improper Input Validation

Description

The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.

How to fix CVE-2013-1854

To remediate CVE-2013-1854, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2.3.14.1 or later
RubyGems/activerecord—upgrade to 2.3.18 or later

Is CVE-2013-1854 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.14.1
>= 2.3.0, < 2.3.18

References (19)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1854
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-1854
WEBlists.apple.com/archives/security-announce/2013/Jun/msg00000.html
WEBlists.apple.com/archives/security-announce/2013/Oct/msg00006.html