VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-58sa-6uag-z7hp

Essentials
Severities (18)
References (32)
Severity details (17)
Exploits (2)
EPSS
History (1)

Vulnerability ID	VCID-58sa-6uag-z7hp
Aliases	CVE-2013-0156 GHSA-jmgw-6vjg-jjwg OSV-89026
Summary	actionpack Improper Input Validation vulnerability `active_support/core_ext/hash/conversions.rb` in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-20	Improper Input Validation
CWE-502	Deserialization of Untrusted Data
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0153.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0154.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0155.html
epss	0.91907	https://api.first.org/data/v1/epss?cve=CVE-2013-0156
generic_textual	HIGH	https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-jmgw-6vjg-jjwg
generic_textual	HIGH	https://github.com/rails/rails
generic_textual	HIGH	https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2013-0156
generic_textual	HIGH	https://web.archive.org/web/20140111025708/http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
generic_textual	HIGH	https://web.archive.org/web/20160415043747/https://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
generic_textual	HIGH	https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156
generic_textual	HIGH	http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
generic_textual	HIGH	http://www.debian.org/security/2013/dsa-2604
generic_textual	HIGH	http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
generic_textual	HIGH	http://www.insinuator.net/2013/01/rails-yaml
generic_textual	HIGH	http://www.kb.cert.org/vuls/id/380039
generic_textual	HIGH	http://www.kb.cert.org/vuls/id/628463

Reference id	Reference type	URL
		http://rhn.redhat.com/errata/RHSA-2013-0153.html
		http://rhn.redhat.com/errata/RHSA-2013-0154.html
		http://rhn.redhat.com/errata/RHSA-2013-0155.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0156.json
		https://api.first.org/data/v1/epss?cve=CVE-2013-0156
		https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156
		https://github.com/rails/rails
		https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/2013-0156/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ
		https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
		https://nvd.nist.gov/vuln/detail/CVE-2013-0156
		https://web.archive.org/web/20140111025708/http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
		https://web.archive.org/web/20160415043747/https://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
		https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156
		http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
		http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
		http://www.debian.org/security/2013/dsa-2604
		http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
		http://www.insinuator.net/2013/01/rails-yaml
		http://www.insinuator.net/2013/01/rails-yaml/
		http://www.kb.cert.org/vuls/id/380039
		http://www.kb.cert.org/vuls/id/628463
697722		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697722
892870		https://bugzilla.redhat.com/show_bug.cgi?id=892870
CVE-2013-0156		https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156/
CVE-2013-0156;OSVDB-89026	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/24019.rb
CVE-2013-0156;OSVDB-89026	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/27527.rb
GHSA-jmgw-6vjg-jjwg		https://github.com/advisories/GHSA-jmgw-6vjg-jjwg
GLSA-201412-28		https://security.gentoo.org/glsa/201412-28
RHSA-2013:0153		https://access.redhat.com/errata/RHSA-2013:0153
RHSA-2013:0154		https://access.redhat.com/errata/RHSA-2013:0154
RHSA-2013:0155		https://access.redhat.com/errata/RHSA-2013:0155

Data source	Exploit-DB
Date added	Jan. 10, 2013
Description	Ruby on Rails - XML Processor YAML Deserialization Code Execution (Metasploit)
Ransomware campaign use	Known
Source publication date	Jan. 10, 2013
Exploit type	remote
Platform	multiple
Source update date	Jan. 10, 2013

Data source	Metasploit
Description	This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.
Note	Reliability: - unknown-reliability Stability: - unknown-stability SideEffects: - unknown-side-effects
Ransomware campaign use	Unknown
Source publication date	Jan. 7, 2013
Platform	Ruby
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb

Exploit Prediction Scoring System (EPSS)

Percentile	0.99708
EPSS Score	0.91907
Published At	May 29, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T08:57:22.161114+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-jmgw-6vjg-jjwg/GHSA-jmgw-6vjg-jjwg.json	38.6.0