Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-carc-ntrd-ebfe
Vulnerability ID VCID-carc-ntrd-ebfe
Aliases CVE-2013-0156
GHSA-jmgw-6vjg-jjwg
OSV-89026
Summary Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-20 Improper Input Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-502 Deserialization of Untrusted Data
System Score Found at
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-0153.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-0154.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2013-0155.html
epss 0.91907 https://api.first.org/data/v1/epss?cve=CVE-2013-0156
epss 0.91907 https://api.first.org/data/v1/epss?cve=CVE-2013-0156
epss 0.91907 https://api.first.org/data/v1/epss?cve=CVE-2013-0156
epss 0.91907 https://api.first.org/data/v1/epss?cve=CVE-2013-0156
epss 0.91907 https://api.first.org/data/v1/epss?cve=CVE-2013-0156
epss 0.91907 https://api.first.org/data/v1/epss?cve=CVE-2013-0156
generic_textual HIGH https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-jmgw-6vjg-jjwg
generic_textual HIGH https://github.com/rails/rails
generic_textual HIGH https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2013-0156
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2013-0156
generic_textual HIGH https://web.archive.org/web/20140111025708/http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
generic_textual HIGH https://web.archive.org/web/20160415043747/https://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
generic_textual HIGH https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156
generic_textual HIGH http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
generic_textual HIGH http://www.debian.org/security/2013/dsa-2604
generic_textual HIGH http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
generic_textual HIGH http://www.insinuator.net/2013/01/rails-yaml
generic_textual HIGH http://www.kb.cert.org/vuls/id/380039
generic_textual HIGH http://www.kb.cert.org/vuls/id/628463
Reference id Reference type URL
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
http://rhn.redhat.com/errata/RHSA-2013-0153.html
http://rhn.redhat.com/errata/RHSA-2013-0154.html
http://rhn.redhat.com/errata/RHSA-2013-0155.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0156.json
https://api.first.org/data/v1/epss?cve=CVE-2013-0156
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156
https://github.com/rails/rails
https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/2013-0156/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ
https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
https://nvd.nist.gov/vuln/detail/CVE-2013-0156
https://puppet.com/security/cve/cve-2013-0156
https://web.archive.org/web/20140111025708/http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
https://web.archive.org/web/20160415043747/https://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
http://www.debian.org/security/2013/dsa-2604
http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
http://www.insinuator.net/2013/01/rails-yaml
http://www.insinuator.net/2013/01/rails-yaml/
http://www.kb.cert.org/vuls/id/380039
http://www.kb.cert.org/vuls/id/628463
697722 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697722
892870 https://bugzilla.redhat.com/show_bug.cgi?id=892870
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
CVE-2013-0156 https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156/
CVE-2013-0156;OSVDB-89026 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/24019.rb
CVE-2013-0156;OSVDB-89026 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/27527.rb
GHSA-jmgw-6vjg-jjwg https://github.com/advisories/GHSA-jmgw-6vjg-jjwg
GLSA-201412-28 https://security.gentoo.org/glsa/201412-28
RHSA-2013:0153 https://access.redhat.com/errata/RHSA-2013:0153
RHSA-2013:0154 https://access.redhat.com/errata/RHSA-2013:0154
RHSA-2013:0155 https://access.redhat.com/errata/RHSA-2013:0155
Data source Exploit-DB
Date added Jan. 10, 2013
Description Ruby on Rails - XML Processor YAML Deserialization Code Execution (Metasploit)
Ransomware campaign use Known
Source publication date Jan. 10, 2013
Exploit type remote
Platform multiple
Source update date Jan. 10, 2013
Data source Metasploit
Description This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.
Note 
Reliability:
  - unknown-reliability
Stability:
  - unknown-stability
SideEffects:
  - unknown-side-effects
Ransomware campaign use Unknown
Source publication date Jan. 7, 2013
Platform Ruby
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2013-0156
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.99689
EPSS Score 0.91907
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:46:47.865323+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack/CVE-2013-0156.yml 38.0.0