CVE-2013-0156

EPSS 91.91% · P100 Updated Feb 21, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2013-0156

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Description

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

Ruby on Rails 输入验证错误漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Ruby on Rails是美国Rails团队的一套基于Ruby语言的开源Web应用框架。 Ruby on Rails存在输入验证错误漏洞，该漏洞源于没有正确限制字符串值的转换，允许远程攻击者进行注入并执行任意代码。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
-	n/a	n/a	-

II. Public POCs for CVE-2013-0156

#	POC Description	Source Link	Shenlong Link
1	Silly Rails App to demonstrate vuln CVE-2013-0156	https://github.com/terracatta/name_reverser	POC Details
2	Inspect all of your heroku apps to see if they are running a vulnerable version of Rails	https://github.com/heroku/heroku-CVE-2013-0156	POC Details
3	crack repo from jnunemaker but with version 0.1.8 and rails CVE-2013-0156 vulnerability fixed	https://github.com/josal/crack-0.1.8-fixed	POC Details
4	Bootstrapped Rails 3.2.10 to test the remote code exploit CVE-2013-0156	https://github.com/bsodmike/rails-exploit-cve-2013-0156	POC Details
5	Arbitrary deserialization that can be used to trigger SQL injection and even Code execution	https://github.com/R3dKn33-zz/CVE-2013-0156	POC Details
6	Pseudo shell for CVE-2013-0156.	https://github.com/Jjdt12/kuang_grade_mk11	POC Details
7	This script is specifically designed to solve the challenge on PentesterLab for the CVE-2013-0156 exploit	https://github.com/oxBEN10/CVE-2013-0156	POC Details
8	This script is specifically designed to solve the challenge on PentesterLab for the CVE-2013-0156 exploit	https://github.com/oxben10/CVE-2013-0156	POC Details
9	Infoblox NetMRI virtual appliances before version 7.6.1 are vulnerable to remote code execution (RCE) due to the use of a hardcoded Ruby on Rails session cookie secret key. The Rails web component deserializes session cookies if the signing key is valid. Attackers with knowledge of this key can craft malicious session cookies that are deserialized by the application, leading to arbitrary code execution. This vulnerability is related to the known Ruby on Rails deserialization flaw (CVE-2013-0156). Infoblox did not assign a new CVE for this issue, as it is a result of the underlying Rails vulnerability.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/infoblox/infoblox-netmri-rails-cookie-rce.yaml	POC Details
10	Modified ruby script for RCE	https://github.com/7s26simon/CVE-2013-0156	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2013-0156

请登录查看更多情报信息。

http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/x_refsource_CONFIRM
🔗 http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.htmlx_refsource_CONFIRM
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156x_refsource_MISC
🔗 https://puppet.com/security/cve/cve-2013-0156x_refsource_CONFIRM
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01Ax_refsource_MISC
http://www.insinuator.net/2013/01/rails-yaml/x_refsource_MISC
http://www.debian.org/security/2013/dsa-2604vendor-advisoryx_refsource_DEBIAN
http://www.kb.cert.org/vuls/id/628463third-party-advisoryx_refsource_CERT-VN
http://www.kb.cert.org/vuls/id/380039third-party-advisoryx_refsource_CERT-VN
http://rhn.redhat.com/errata/RHSA-2013-0155.htmlvendor-advisoryx_refsource_REDHAT
RHSA-2013:0153 - Security Advisory - Red Hat Customer Portalvendor-advisoryx_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2013-0154.htmlvendor-advisoryx_refsource_REDHAT
https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplainmailing-listx_refsource_MLIST
https://nvd.nist.gov/vuln/detail/CVE-2013-0156

Same Patch Batch · n/a · 2013-01-13 · 29 CVEs total

CVE-2013-0757		Mozilla Firefox/Thunderbird/SeaMonkey COW绕过权限提升漏洞
CVE-2013-0771		Mozilla Firefox/Thunderbird/SeaMonkey 基于堆的缓冲区错误漏洞
CVE-2013-0770		Mozilla Firefox/Thunderbird/SeaMonkey 内存破坏漏洞
CVE-2013-0769		Mozilla Firefox/Thunderbird/SeaMonkey 内存破坏漏洞
CVE-2013-0768		Mozilla Firefox/Thunderbird/SeaMonkey Canvas缓冲区错误漏洞
CVE-2013-0767		Mozilla Firefox/Thunderbird/SeaMonkey 越界读取漏洞
CVE-2013-0766		Mozilla Firefox/Thunderbird/SeaMonkey 释放后使用漏洞
CVE-2013-0764		Mozilla Firefox/Thunderbird/SeaMonkey 任意代码执行漏洞
CVE-2013-0763		Mozilla Firefox/Thunderbird/SeaMonkey Mesa释放后使用漏洞
CVE-2013-0762		Mozilla Firefox/Thunderbird/SeaMonkey 释放后使用漏洞
CVE-2013-0761		Mozilla Firefox/Thunderbird/SeaMonkey 释放后使用漏洞
CVE-2013-0760		Mozilla Firefox/Thunderbird/SeaMonkey 缓冲区错误漏洞
CVE-2013-0759		Mozilla Firefox/SeaMonkey/Thunderbird 地址栏欺骗漏洞
CVE-2013-0758		Mozilla Firefox/Thunderbird/SeaMonkey 权限提升漏洞
CVE-2013-0155		Ruby on Rails 不安全查询生成漏洞
CVE-2013-0756		Mozilla Firefox/Thunderbird/SeaMonkey ‘obj_toSource’函数释放后使用漏洞
CVE-2013-0755		Mozilla Firefox/Thunderbird/SeaMonkey Vibrate释放后使用漏洞
CVE-2013-0754		Mozilla Firefox/Thunderbird/SeaMonkey 释放后使用漏洞
CVE-2013-0753		Mozilla Firefox/Thunderbird/SeaMonkey ‘serializeToStream’释放后使用漏洞
CVE-2013-0752		Mozilla Firefox/Thunderbird/SeaMonkey XBL处理内存破坏漏洞

Showing top 20 of 29 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: n/a

Same vendor: n/a

V. Comments for CVE-2013-0156

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2013-0156

I. Basic Information for CVE-2013-0156

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2013-0156

III. Intelligence Information for CVE-2013-0156

Same Patch Batch · n/a · 2013-01-13 · 29 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2013-0156

Leave a comment