Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-0277

Overview

Vulnerability Score 10.0 10.0
CVE Id CVE-2013-0277
Last Modified 05 Jun 2013 11:24:30
Published 12 Feb 2013 08:55:05
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2013-0277

Summary

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.

Vulnerable Systems

Application

  • Rubyonrails Ruby On Rails 2.3.0

  • Rubyonrails Ruby On Rails 2.3.1

  • Rubyonrails Ruby On Rails 2.3.10

  • Rubyonrails Ruby On Rails 2.3.11

  • Rubyonrails Ruby On Rails 2.3.12

  • Rubyonrails Ruby On Rails 2.3.13

  • Rubyonrails Ruby On Rails 2.3.14

  • Rubyonrails Ruby On Rails 2.3.15

  • Rubyonrails Ruby On Rails 2.3.16

  • Rubyonrails Ruby On Rails 2.3.2

  • Rubyonrails Ruby On Rails 2.3.3

  • Rubyonrails Ruby On Rails 2.3.4

  • Rubyonrails Ruby On Rails 2.3.9

  • Rubyonrails Ruby On Rails 3.0.0

  • Rubyonrails Ruby On Rails 3.0.1

  • Rubyonrails Ruby On Rails 3.0.10

  • Rubyonrails Ruby On Rails 3.0.11

  • Rubyonrails Ruby On Rails 3.0.12

  • Rubyonrails Ruby On Rails 3.0.13

  • Rubyonrails Ruby On Rails 3.0.14

  • Rubyonrails Ruby On Rails 3.0.16

  • Rubyonrails Ruby On Rails 3.0.17

  • Rubyonrails Ruby On Rails 3.0.18

  • Rubyonrails Ruby On Rails 3.0.19

  • Rubyonrails Ruby On Rails 3.0.2

  • Rubyonrails Ruby On Rails 3.0.20

  • Rubyonrails Ruby On Rails 3.0.3

  • Rubyonrails Ruby On Rails 3.0.4

  • Rubyonrails Ruby On Rails 3.0.5

  • Rubyonrails Ruby On Rails 3.0.6

  • Rubyonrails Ruby On Rails 3.0.7

  • Rubyonrails Ruby On Rails 3.0.8

  • Rubyonrails Ruby On Rails 3.0.9


References

CONFIRM - https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KtmwSbEpzrU

OSVDB - 90073

MLIST - [oss-security] 20130211 Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]

CONFIRM - http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/

SECTRACK - 1028109

DEBIAN - DSA-2620

MLIST - [rubyonrails-security] 20130211 Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]

SECUNIA - 52112

SUSE - openSUSE-SU-2013:0462

CONFIRM - http://support.apple.com/kb/HT5784

APPLE - APPLE-SA-2013-06-04-1


Last Updated: 27 May 2016 11:01:50