{"id":"UBUNTU-CVE-2013-1802","details":"The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.","modified":"2025-07-16T08:10:41.942808Z","published":"2013-04-09T20:55:00Z","withdrawn":"2025-07-18T16:42:50Z","upstream":["CVE-2013-1802"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2013-1802"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2013-1802"}],"affected":[{"package":{"name":"ruby-extlib","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/ruby-extlib@0.9.15-3?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.9.15-3"}]}],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"0.9.15-3","binary_name":"libextlib-ruby"},{"binary_version":"0.9.15-3","binary_name":"libextlib-ruby-doc"},{"binary_version":"0.9.15-3","binary_name":"libextlib-ruby1.8"},{"binary_version":"0.9.15-3","binary_name":"libextlib-ruby1.9.1"},{"binary_version":"0.9.15-3","binary_name":"ruby-extlib"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2013/UBUNTU-CVE-2013-1802.json"}}],"schema_version":"1.7.3","severity":[{"type":"Ubuntu","score":"medium"}]}