Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-0333

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2013-0333
Last Modified 05 Jun 2013 11:24:35
Published 30 Jan 2013 07:00:08
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2013-0333

Summary

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

Vulnerable Systems

Application

  • Rubyonrails Ruby On Rails 2.3.0

  • Rubyonrails Ruby On Rails 2.3.1

  • Rubyonrails Ruby On Rails 2.3.10

  • Rubyonrails Ruby On Rails 2.3.11

  • Rubyonrails Ruby On Rails 2.3.12

  • Rubyonrails Ruby On Rails 2.3.13

  • Rubyonrails Ruby On Rails 2.3.14

  • Rubyonrails Ruby On Rails 2.3.15

  • Rubyonrails Ruby On Rails 2.3.2

  • Rubyonrails Ruby On Rails 2.3.3

  • Rubyonrails Ruby On Rails 2.3.4

  • Rubyonrails Ruby On Rails 2.3.9

  • Rubyonrails Ruby On Rails 3.0.0

  • Rubyonrails Ruby On Rails 3.0.1

  • Rubyonrails Ruby On Rails 3.0.10

  • Rubyonrails Ruby On Rails 3.0.11

  • Rubyonrails Ruby On Rails 3.0.12

  • Rubyonrails Ruby On Rails 3.0.13

  • Rubyonrails Ruby On Rails 3.0.14

  • Rubyonrails Ruby On Rails 3.0.16

  • Rubyonrails Ruby On Rails 3.0.17

  • Rubyonrails Ruby On Rails 3.0.18

  • Rubyonrails Ruby On Rails 3.0.19

  • Rubyonrails Ruby On Rails 3.0.2

  • Rubyonrails Ruby On Rails 3.0.3

  • Rubyonrails Ruby On Rails 3.0.4

  • Rubyonrails Ruby On Rails 3.0.5

  • Rubyonrails Ruby On Rails 3.0.6

  • Rubyonrails Ruby On Rails 3.0.7

  • Rubyonrails Ruby On Rails 3.0.8

  • Rubyonrails Ruby On Rails 3.0.9


References

MLIST - [rubyonrails-security] 20130129 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3

CERT-VN - VU#628463

DEBIAN - DSA-2613

CONFIRM - http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/

REDHAT - RHSA-2013:0203

REDHAT - RHSA-2013:0202

REDHAT - RHSA-2013:0201

APPLE - APPLE-SA-2013-03-14-1

CONFIRM - http://support.apple.com/kb/HT5784

APPLE - APPLE-SA-2013-06-04-1

Related Patches

Apple 2013-03-14 Security Update 2013-001 Server (Lion)


Last Updated: 27 May 2016 11:01:46