CVE-2013-0333
Published: 30 January 2013
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
Notes
| Author | Note |
|---|---|
| mdeslaur | in Oneiric+, rails package is just for transition |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
rails Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Ignored
(end of life)
|
|
| oneiric |
Not vulnerable
(contains no code)
|
|
| precise |
Not vulnerable
(contains no code)
|
|
| quantal |
Not vulnerable
(contains no code)
|
|
| raring |
Not vulnerable
(contains no code)
|
|
| saucy |
Not vulnerable
(contains no code)
|
|
| upstream |
Needs triage
|
|
|
ruby-activesupport-2.3 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Released
(2.3.14-2ubuntu0.11.10.2)
|
|
| precise |
Released
(2.3.14-2ubuntu0.12.04.2)
|
|
| quantal |
Released
(2.3.14-4ubuntu0.2)
|
|
| raring |
Not vulnerable
(2.3.14-6)
|
|
| saucy |
Not vulnerable
(2.3.14-6)
|
|
| upstream |
Released
(2.3.14-6)
|
|
|
Patches: debdiff: https://bugs.launchpad.net/ubuntu/+source/ruby-activesupport-2.3/+bug/1119256 vendor: http://www.debian.org/security/2013/dsa-2613 |
||
|
ruby-activesupport-3.2 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Not vulnerable
|
|
| raring |
Not vulnerable
|
|
| saucy |
Not vulnerable
|
|
| upstream |
Needs triage
|
|