CVE-2013-0333
Published: 30 January 2013
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
Notes
Author | Note |
---|---|
mdeslaur | in Oneiric+, rails package is just for transition |
Priority
Status
Package | Release | Status |
---|---|---|
rails Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
oneiric |
Not vulnerable
(contains no code)
|
|
precise |
Not vulnerable
(contains no code)
|
|
quantal |
Not vulnerable
(contains no code)
|
|
raring |
Not vulnerable
(contains no code)
|
|
saucy |
Not vulnerable
(contains no code)
|
|
upstream |
Needs triage
|
|
ruby-activesupport-2.3 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
oneiric |
Released
(2.3.14-2ubuntu0.11.10.2)
|
|
precise |
Released
(2.3.14-2ubuntu0.12.04.2)
|
|
quantal |
Released
(2.3.14-4ubuntu0.2)
|
|
raring |
Not vulnerable
(2.3.14-6)
|
|
saucy |
Not vulnerable
(2.3.14-6)
|
|
upstream |
Released
(2.3.14-6)
|
|
Patches: debdiff: https://bugs.launchpad.net/ubuntu/+source/ruby-activesupport-2.3/+bug/1119256 vendor: http://www.debian.org/security/2013/dsa-2613 |
||
ruby-activesupport-3.2 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
saucy |
Not vulnerable
|
|
upstream |
Needs triage
|