GHSA-jmgw-6vjg-jjwg · Severity: high · Ecosystem: rubygems — actionpack Improper Input Validation vulnerability
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Conclusion & alert: CVE-2013-0156 is rated High Exploit Risk (85/100): CVSS High severity, with high exploitation likelihood (EPSS 99.45%, 100th percentile). Core evidence: 2 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +7.54% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| 27527 | exploit_db | edb | 2013-08-12 | Exploit-DB ↗ |
| 24019 | exploit_db | edb | 2013-01-10 | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 91.91% | 99.45% | +7.54% |
| 2 | 2025-10-31 | 92.20% | 91.91% | -0.29% |
| 3 | 2025-10-10 | — | 92.20% | — |
Full EPSS history (21 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
GHSA-jmgw-6vjg-jjwg · Severity: high · Ecosystem: rubygems — actionpack Improper Input Validation vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
high | CVE-2013-0156 high priority: Debian including 1 source packages (rails), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2013-0156 |
gentoo
|
high | CVE-2013-0156: 1 GLSA(s) (201412-28), 1 atom(s) (dev-ruby/rails); latest impact high. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-0156 |
redhat
|
critical | — | https://access.redhat.com/security/cve/CVE-2013-0156 |
suse
|
medium | CVE-2013-0156 severity moderate: SUSE including 21 source package names (ruby2.1-rubygem-extlib-0.9.16-1.1, ruby2.2-rubygem-extlib-0.9.16-7.4, …), 21 product×package rows across 5 product lines (SUSE Linux Enterprise Software Development Kit 11 SP2, SUSE Linux Enterprise Software Development Kit 11 SP4, … (5 product lines)): Fixed 21. | https://www.suse.com/security/cve/CVE-2013-0156/ |
ubuntu
|
high | CVE-2013-0156 high priority: Ubuntu including 5 source packages (libextlib-ruby, rails, ruby-activesupport-2.3, ruby-activesupport-3.2, ruby-extlib), 55 status rows across 11 suites (hardy, lucid, oneiric, precise, quantal, raring, saucy, trusty, upstream, utopic, vivid): DNE 25, not-affected 15, released 9, ignored 4, needs-triage 2. | https://ubuntu.com/security/CVE-2013-0156 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| rubyonrails | rails | >= 3.2.0, < 3.2.11 | cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* |
| rubyonrails | ruby_on_rails | < 2.3.15 | cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:* |
| rubyonrails | ruby_on_rails | >= 3.0.0, < 3.0.19 | cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:* |
| rubyonrails | ruby_on_rails | >= 3.1.0, < 3.1.10 | cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:* |
| debian | debian_linux | 6.0 | cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* |
| debian | debian_linux | 7.0 | cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* |