Ruby on Rails JSON Parser YAML Handling Vulnerability
Release Date: 2013-01-29
Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch
Ruby on Rails 2.3.x
Ruby on Rails 3.0.x
A vulnerability has been reported in Ruby on Rails, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an input validation error within the "convert_json_to_yaml()" method of the JSON Parser when decoding YAML input.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in versions prior to 3.0.20 and 2.3.16.
Update to version 3.0.20 or 2.3.16.
Provided and/or discovered by:
The vendor credits Lawrence Pit, Mirror42.
Ruby on Rails: