Your submission was sent successfully! Close

CVE-2013-0333

Published: 30 January 2013

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

Priority

High

Status

Package Release Status
rails
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(contains no code)
ruby-activesupport-2.3
Launchpad, Ubuntu, Debian
Upstream
Released (2.3.14-6)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(2.3.14-6)
Patches:
Debdiff: https://bugs.launchpad.net/ubuntu/+source/ruby-activesupport-2.3/+bug/1119256
Vendor: http://www.debian.org/security/2013/dsa-2613
ruby-activesupport-3.2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable