製品・ソフトウェアに関する情報

JVN脆弱性詳細

Ruby on Rails の Active Record コンポーネントにおけるサービス運用妨害 (DoS) の脆弱性

Title	Ruby on Rails の Active Record コンポーネントにおけるサービス運用妨害 (DoS) の脆弱性
Summary	Ruby on Rails の Active Record コンポーネントは、シンボルからハッシュキーへの変換によって発生する特定のクエリ処理により、サービス運用妨害 (DoS) 状態にされる脆弱性が存在します。
Possible impacts	第三者により、where メソッドへの巧妙に細工された入力を介して、サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 18, 2013, midnight
Registration Date	March 22, 2013, 10:40 a.m.
Last Update	Dec. 18, 2014, 5:44 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

アップル

Apple Mac OS X 10.6.8

Apple Mac OS X Server 10.6.8

macOS Server (旧 OS X Server) 3.0 未満 (Apple Mac OS X v10.9 以降)

Ruby on Rails project

Rails 2.3.18 未満の 2.3.x

Rails 3.1.12 未満の 3.1.x

Rails 3.2.13 未満の 3.2.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-1854	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1854
Google Groups
2	CVE-2013-1854 Symbol DoS vulnerability in Active Record	https://groups.google.com/forum/#!topic/ruby-security-ann/o0Dsdk2WrQ0
National Vulnerability Database (NVD)
3	CVE-2013-1854	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1854

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Apple Mailing Lists
1	APPLE-SA-2013-06-04-1	http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
2	APPLE-SA-2013-10-22-5	http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
Apple Security Updates
3	HT5784	http://support.apple.com/kb/HT5784
4	HT5999	http://support.apple.com/kb/HT5999
Apple セキュリティアップデート
5	HT5784	http://support.apple.com/kb/HT5784?viewlocale=ja_JP
6	HT5999	http://support.apple.com/kb/HT5999?viewlocale=ja_JP
opensuse-updates
7	openSUSE-SU-2013:0659	http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html
8	openSUSE-SU-2013:0660	http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html
9	openSUSE-SU-2013:0664	http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html
10	openSUSE-SU-2013:0667	http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html
11	openSUSE-SU-2013:0668	http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html
Rails weblog
12	[SEC] [ANN] Rails 3.2.13, 3.1.12, and 2.3.18 have been released!	http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
Red Hat Security Advisory
13	RHSA-2013:0699	http://rhn.redhat.com/errata/RHSA-2013-0699.html
14	RHSA-2014:1863	https://rhn.redhat.com/errata/RHSA-2014-1863.html

その他

No	Name	URL
JVN
1	JVNVU#92046435	http://jvn.jp/cert/JVNVU92046435/index.html
2	JVNVU#95174988	http://jvn.jp/cert/JVNVU95174988/

Change Log

No	Changed Details	Date of change
0	[2013年03月22日] 掲載 [2013年04月26日] ベンダ情報：レッドハット (RHSA-2013:0699) を追加 [2013年05月21日] ベンダ情報：Novell (openSUSE-SU-2013:0668) を追加ベンダ情報：Novell (openSUSE-SU-2013:0667) を追加ベンダ情報：Novell (openSUSE-SU-2013:0659) を追加ベンダ情報：Novell (openSUSE-SU-2013:0664) を追加 [2013年06月07日] 影響を受けるシステム：アップル (HT5784) の情報を追加ベンダ情報：アップル (HT5784) を追加ベンダ情報：アップル (APPLE-SA-2013-06-04-1) を追加 [2013年11月11日] 影響を受けるシステム：アップル (HT5999) の情報を追加ベンダ情報：Novell (openSUSE-SU-2013:0660) を追加ベンダ情報：アップル (HT5999) を追加ベンダ情報：アップル (APPLE-SA-2013-10-22-5) を追加参考情報：JVN (JVNVU#95174988) を追加 [2014年12月18日] ベンダ情報：レッドハット (RHSA-2014:1863) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-1854

Summary	The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
Publication Date	March 20, 2013, 7:55 a.m.
Registration Date	Jan. 26, 2021, 3:37 p.m.
Last Update	Nov. 21, 2024, 10:50 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.17:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.0:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.1:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.11:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.12:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.13:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.14:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.15:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.16:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.0:beta1::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc3::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc4::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc5::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc6::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc7::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc8::::::
cpe:2.3:a:rubyonrails:rails:3.1.1:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.1:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.1.1:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.1:rc3::::::
cpe:2.3:a:rubyonrails:rails:3.1.2:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.2:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.1.2:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.4:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.4:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.5:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.5:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.2.0:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.7:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.8:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.9:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.3:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.6:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.7:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.8:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.9:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.10:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.1:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.5:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.6:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.10:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.11:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.12:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.2:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.2:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.3:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.3:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.3:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.2.4:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.4:rc1::::::

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
2	http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
3	http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
4	http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
5	http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html
6	http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html
7	http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html
8	http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html
9	http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html
10	http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html
11	http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html
12	http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html
13	http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html
14	http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html
15	http://rhn.redhat.com/errata/RHSA-2013-0699.html
16	http://rhn.redhat.com/errata/RHSA-2013-0699.html
17	http://rhn.redhat.com/errata/RHSA-2014-1863.html
18	http://rhn.redhat.com/errata/RHSA-2014-1863.html
19	http://support.apple.com/kb/HT5784
20	http://support.apple.com/kb/HT5784
21	http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
22	http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
23	https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain
24	https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.17:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.0:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.1:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.11:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.12:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.13:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.14:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.15:::::::*
cpe:2.3:a:rubyonrails:rails:2.3.16:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.0:beta1::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc3::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc4::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc5::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc6::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:rc7::::::
cpe:2.3:a:rubyonrails:rails:3.1.0:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc8::::::
cpe:2.3:a:rubyonrails:rails:3.1.1:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.1:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.1.1:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.1:rc3::::::
cpe:2.3:a:rubyonrails:rails:3.1.2:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.2:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.1.2:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.4:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.4:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.1.5:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.5:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.2.0:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.7:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.8:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.9:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.3:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.6:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.7:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.8:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.9:::::::*
cpe:2.3:a:rubyonrails:rails:3.1.10:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.1:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.5:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.6:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.10:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.11:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.12:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.2:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.2:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.3:rc1::::::
cpe:2.3:a:rubyonrails:rails:3.2.3:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.3:rc2::::::
cpe:2.3:a:rubyonrails:rails:3.2.4:::::::*
cpe:2.3:a:rubyonrails:rails:3.2.4:rc1::::::