CVE-2013-0285 Information

Description

The nori gem 2.0.x before 2.0.2 1.1.x before 1.1.4 and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values which allows remote attackers to conduct object-injection attacks and execute arbitrary code or cause a denial of service (memory and CPU consumption) involving nested XML entity references by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion a similar vulnerability to CVE-2013-0156.

Reference

http://seclists.org/oss-sec/2013/q1/304 https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately