Execution of arbitrary code
Ruby on Rails JSON Processor YAML Deserialization Code Execution
Vulnerability: Execution of arbitrary code in Ruby on Rails
Danger: High
Patch: Yes
Number of vulnerabilities: 1
CVE ID: CVE-2013-0333
Vector of operation: Remote
Impact: System Compromise
Be exploited: PoC code
Affected Products: Ruby on Rails 2.3.x, Ruby on Rails 3.0.x
Affected versions: Ruby on Rails versions prior to 3.0.20 and 2.3.16.
Description:
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused due to input validation error in the method “convert_json_to_yaml ()” in the JSON Parser during decoding YAML data. A remote user can execute arbitrary code on the target system.
Manufacturer URL: http://rubyonrails.org/
Solution: Update to version 3.0.20 or 2.3.16 from the manufacturer.
links:
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
Filed under: Vulnerabilities
