7.5

CVSS Score

Basic Information

CVE ID

CVE-2013-0269

GHSA ID

GHSA-x457-cw4h-hq5f

EPSS Score

0.92683%

CWE

CWE-20

Published

10/24/2017

Updated

11/6/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-0269

CVE-2013-0269: JSON gem has Improper Input Validation vulnerability

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2013-0269

GHSA ID

GHSA-x457-cw4h-hq5f

EPSS Score

0.92683%

CWE

CWE-20

Published

10/24/2017

Updated

11/6/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
json	rubygems	< 1.5.5	1.5.5
json	rubygems	>= 1.6.0, < 1.6.8	1.6.8
json	rubygems	>= 1.7.0, < 1.7.7	1.7.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from JSON parsing logic allowing arbitrary object creation via the 'json_class' field. The root cause is the default 'create_additions: true' behavior in JSON.parse, which triggers class instantiation. The patches explicitly disable this by default (CVE-2013-0269 advisory workaround suggests setting create_additions: false). The ext/parser implementation handles the actual object creation when this flag is enabled, making these functions the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** JSON **m ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *or Ru*y *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** (r*sour** *onsumption) or *yp*ss t** m*ss *ssi*nm*nt prot**tion m****nism vi* * *r**t** JSON *o*um*nt t**t tri***rs t*

Reasoning

T** vuln*r**ility st*ms *rom JSON p*rsin* lo*i* *llowin* *r*itr*ry o*j**t *r**tion vi* t** 'json_*l*ss' *i*l*. T** root **us* is t** ****ult '*r**t*_***itions: tru*' ****vior in JSON.p*rs*, w*i** tri***rs *l*ss inst*nti*tion. T** p*t***s *xpli*itly *

7.5

Basic Information

Concerned about an active attack path?

CVE-2013-0269: JSON gem has Improper Input Validation vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI