CVE-2013-1854

NameCVE-2013-1854
DescriptionThe Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2655-1
Debian Bugs703348

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rails (PTS)buster2:5.2.2.1+dfsg-1+deb10u3fixed
buster (security)2:5.2.2.1+dfsg-1+deb10u5fixed
bullseye (security), bullseye2:6.0.3.7+dfsg-2+deb11u2fixed
bookworm2:6.1.7.3+dfsg-1fixed
sid, trixie2:6.1.7.3+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
railssourcesqueeze2.3.5-1.2+squeeze8DSA-2655-1
railssource(unstable)2.3.14.1
ruby-activerecord-2.3source(unstable)2.3.14-6
ruby-activerecord-3.2source(unstable)3.2.6-5703348
ruby-activesupport-2.3source(unstable)2.3.14-7

Notes

Starting with 2.3.14.1 rails is a transition package

Search for package or bug name: Reporting problems