Skip to content

extlib does not properly restrict casts of string values

High severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Aug 28, 2023

Package

bundler extlib (RubyGems)

Affected versions

< 0.9.16

Patched versions

0.9.16

Description

The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

References

Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Aug 28, 2023

Severity

High

EPSS score

3.796%
(92nd percentile)

Weaknesses

CVE ID

CVE-2013-1802

GHSA ID

GHSA-9h36-4jf2-hx53

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.