2.0.2
CVE-2013-0285 is an object injection vulnerability discovered in the Nori gem for Ruby. This flaw allows remote attackers to execute arbitrary code or trigger a denial of service by exploiting improper handling of string casts within XML parsing. The vulnerability impacts versions of Nori up to and including 2.0.0, and a fix is available in version 2.0.2.
Successful exploitation of CVE-2013-0285 allows an attacker to inject malicious objects into the application's memory space. This can lead to arbitrary code execution, granting the attacker complete control over the affected system. The vulnerability stems from the gem's failure to properly restrict casts of string values, enabling the creation of nested XML entity references that trigger unintended behavior. This is similar to the object injection vulnerabilities seen in CVE-2013-0156, highlighting a broader issue with XML parsing libraries in Ruby applications. The potential impact includes data breaches, system compromise, and disruption of service.
CVE-2013-0285 was publicly disclosed in 2017. While no active exploitation campaigns have been definitively linked to this specific CVE, the similarity to CVE-2013-0156 suggests a potential for exploitation, particularly in legacy applications still using vulnerable versions of the Nori gem. The EPSS score is likely medium, reflecting the potential for exploitation and the availability of a straightforward fix. It is not listed on the CISA KEV catalog.
Applications utilizing the Nori gem for XML parsing, particularly those handling untrusted input, are at risk. This includes web applications, APIs, and any Ruby-based system that processes XML data from external sources. Legacy applications that have not been regularly updated are especially vulnerable.
• ruby / server:
grep -r "nori.gem" /var/log/ruby/production.log
bundle list | grep nori• generic web:
curl -I <your_ruby_app_url> | grep XMLdiscovery
disclosure
エクスプロイト状況
EPSS
1.50% (81% パーセンタイル)
The primary mitigation for CVE-2013-0285 is to upgrade the Nori gem to version 2.0.2 or later. If upgrading is not immediately feasible due to compatibility issues, consider implementing input validation to sanitize XML data before processing it with the Nori gem. Specifically, restrict the depth of nested XML entities. Web application firewalls (WAFs) configured to detect and block malicious XML payloads can also provide a temporary layer of protection. Monitor application logs for unusual activity related to XML parsing or object creation.
公式パッチはありません。回避策を確認するか、アップデートを監視してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2013-0285 is a high-severity object injection vulnerability affecting the Nori gem for Ruby, allowing attackers to execute code or cause denial of service through XML manipulation.
You are affected if you are using Nori gem versions 2.0.0 or earlier. Upgrade to version 2.0.2 or later to resolve the vulnerability.
Upgrade the Nori gem to version 2.0.2 or later using your Ruby package manager (e.g., gem update nori).
While no confirmed active exploitation campaigns are publicly known, the vulnerability's nature and similarity to other object injection flaws suggest a potential for exploitation.
Refer to the NVD entry for CVE-2013-0285 for related information and links: https://nvd.nist.gov/vuln/detail/CVE-2013-0285
Gemfile.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。