7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.9%
Added: 02/15/2013
CVE: CVE-2013-0156
BID: 57187
OSVDB: 89026
Ruby on Rails is a full stack, Web application framework optimized for sustainable programming productivity, allowing writing sound code by favoring convention over configuration.
Ruby on Rails versions prior to 2.3.15, 3.0.19, 3.1.10, and 3.2.11 contain a vulnerability in the way they handle casting string values when nesting XML entity references using YAML type conversion of Symbol type conversion.
Update to the latest version of Ruby on Rails.
<http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/>
<http://www.kb.cert.org/vuls/id/380039>
<http://www.kb.cert.org/vuls/id/628463>
This exploit has been tested against Ruby on Rails 3.0.18 on CentOS 6 (Exec-Shield Enabled).
Linux