Release date:
Updated on: 2013-01-31
Affected Systems:
Ruby on Rails 3.x
Ruby on Rails 2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57575
CVE (CAN) ID: CVE-2013-0333
Ruby on Rails (RoR or Rails) is an open-source Web application framework written in Ruby. It is developed in strict accordance with the MVC structure.
When decoding YAML input in Ruby on Rails 3.0.20 and 2.3.16, the "convert_json_to_yaml ()" method of JSON Parser contains an input verification error, allowing arbitrary code execution.
<* Source: Lawrence Pit
Link: http://secunia.com/advisories/51938/
Http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Ruby on Rails
-------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.rubyonrails.com/