GHSA-9h36-4jf2-hx53

Suggest an improvement
Source
https://github.com/advisories/GHSA-9h36-4jf2-hx53
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-9h36-4jf2-hx53/GHSA-9h36-4jf2-hx53.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9h36-4jf2-hx53
Aliases
Published
2017-10-24T18:33:37Z
Modified
2024-12-03T05:50:35.646322Z
Summary
extlib does not properly restrict casts of string values
Details

The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-704"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:28:42Z"
}
References

Affected packages

RubyGems / extlib

Package

Name
extlib
Purl
pkg:gem/extlib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.16

Affected versions

0.*

0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15