The Ruby on Rails 3.0 and 2.3 JSON parser contain a vulnerability that may result in arbitrary code execution.
The Ruby on Rails advisory states:
There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0333.
An unauthenticated attacker using a specifically crafted payload may be able to trick the Ruby on Rails backend into executing arbitrary code.
Apply an Update
The Ruby on Rails advisory states the following workarounds as well.
Ruby on Rails
Thanks to Lawrence Pit of Mirror42 for discovering the vulnerability.
This document was written by Jared Allar.
|Date First Published:||2013-01-28|
|Date Last Updated:||2013-03-11 17:57 UTC|