Vulnerability Report

CVE-2013-0269

Title: Rubygems Json Gem Injection (SQLi/OSi)

SQLi

Proof Of Concept

PoC Available for CVE-2013-0269

CWE Category CWE-20

Published Date Feb 13, 2013

Modified Date Apr 29, 2026

Exploit Status Available

Score 7.5 CVSS v2.0

Exploit Probability (EPSS)

17.32%

Vulnerability Summary

CVE-2013-0269: The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

Impacted Vendors

rubygems 1

Reference Links

http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html http://rhn.redhat.com/errata/RHSA-2013-0686.html http://rhn.redhat.com/errata/RHSA-2013-0701.html http://rhn.redhat.com/errata/RHSA-2013-1028.html http://rhn.redhat.com/errata/RHSA-2013-1147.html http://secunia.com/advisories/52075 http://secunia.com/advisories/52774 http://secunia.com/advisories/52902 http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ http://www.openwall.com/lists/oss-security/2013/02/11/7 http://www.openwall.com/lists/oss-security/2013/02/11/8 http://www.osvdb.org/90074 http://www.securityfocus.com/bid/57899 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862 http://www.ubuntu.com/usn/USN-1733-1 http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection https://exchange.xforce.ibmcloud.com/vulnerabilities/82010 https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain https://puppet.com/security/cve/cve-2013-0269 http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html http://rhn.redhat.com/errata/RHSA-2013-0686.html http://rhn.redhat.com/errata/RHSA-2013-0701.html http://rhn.redhat.com/errata/RHSA-2013-1028.html http://rhn.redhat.com/errata/RHSA-2013-1147.html http://secunia.com/advisories/52075 http://secunia.com/advisories/52774 http://secunia.com/advisories/52902 http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ http://www.openwall.com/lists/oss-security/2013/02/11/7 http://www.openwall.com/lists/oss-security/2013/02/11/8 http://www.osvdb.org/90074 http://www.securityfocus.com/bid/57899 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862 http://www.ubuntu.com/usn/USN-1733-1 http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection https://exchange.xforce.ibmcloud.com/vulnerabilities/82010 https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain https://puppet.com/security/cve/cve-2013-0269

CVSS v2.0

Source Entity [email protected]

Severity HIGH

7.5

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:N/AC:L/Au:N/C:P/I:P/A:P

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2013-0269 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/heroku/heroku-CVE-2013-0269

View Code

April 29, 2026 MODIFIED

Vulnerability data updated via NVD.

April 11, 2025 MODIFIED

Vulnerability data or affected products updated.

February 13, 2013 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector N/A

Complexity N/A

Privileges N/A

Interaction NONE

CVSS Vector String


                                    AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected Stack

No specific products linked.