Vulnerability: System compromise in Ruby on Rails
Danger level: High
Availability of fixes: Yes
Number of vulnerabilities: 1
CVE ID: CVE-2013-0155
CVE-2013-0156
Vector of operation: Remote
Impact: System Compromise
Affected Products: Ruby on Rails 2.3.x, 3.0.x, 3.1.x, 3.2.x.
Affected versions: Ruby on Rails versions prior to 3.2.11, 3.1.10, 3.0.19, 2.3.15.
Description:
The vulnerability allows a remote user to execute arbitrary code on the target system.
An error in the processing of XML parameters, because of what the characters and YAML types can be part of a POST request. This can be exploited to compromise a vulnerable system.
Manufacturer URL: http://rubyonrails.org/
Solution: Install the latest version 3.2.11, 3.1.10, 3.0.19 and 2.3.15 from the manufacturer.
Filed under: Vulnerabilities
