lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before
2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML
data for processing by a YAML parser, which allows remote attackers to
execute arbitrary code, conduct SQL injection attacks, or bypass
authentication via crafted data that triggers unsafe decoding, a different
vulnerability than CVE-2013-0156.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699249>
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699226>
<https://bugs.launchpad.net/ubuntu/+source/ruby-activesupport-2.3/+bug/1119256>

Notes

Author	Note
mdeslaur	in Oneiric+, rails package is just for transition

OSVersionArchitecturePackageVersionFilename
ubuntu11.10noarchruby-activesupport-2.3< 2.3.14-2ubuntu0.11.10.2UNKNOWN
ubuntu12.04noarchruby-activesupport-2.3< 2.3.14-2ubuntu0.12.04.2UNKNOWN
ubuntu12.10noarchruby-activesupport-2.3< 2.3.14-4ubuntu0.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	11.10	noarch	ruby-activesupport-2.3	< 2.3.14-2ubuntu0.11.10.2	UNKNOWN
ubuntu	12.04	noarch	ruby-activesupport-2.3	< 2.3.14-2ubuntu0.12.04.2	UNKNOWN
ubuntu	12.10	noarch	ruby-activesupport-2.3	< 2.3.14-4ubuntu0.2	UNKNOWN

References

groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo

groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain

launchpad.net/bugs/cve/CVE-2013-0333

nvd.nist.gov/vuln/detail/CVE-2013-0333

security-tracker.debian.org/tracker/CVE-2013-0333

www.cve.org/CVERecord?id=CVE-2013-0333

osv 8

cert 2

veracode 2

packetstorm 2

threatpost 3

nessus 21

cve 7

prion 7

debiancve 5

github 7

rubygems 4

openvas 43

fedora 16

suse 5

seebug 3

checkpoint_advisories 3

debian 3

gitlab 2

redhat 4

metasploit 4

zdt 2

kitploit 2

securityvulns 6

saint 4

thn 2

ubuntucve 4

exploitdb 2

ics 1

freebsd 2

nmap 1

gentoo 1

ibm 1

osv

activesupport in Rails vulnerable to incorrect data conversion

2017-10-24 18:33:37

rails - insufficient input validation

2013-01-09 00:00:00

actionpack Improper Input Validation vulnerability

2017-10-24 18:33:37

cert

Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability

2013-01-28 00:00:00

Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters

2013-01-08 00:00:00

veracode

Arbitrary Code Execution, SQL Injection Attacks And Authentication Bypass

2019-01-15 08:54:45

Denial Of Service (DoS) Memory Consumption, Arbitrary Code Execution And Object-injection Attacks

2019-01-15 08:53:34

packetstorm

Ruby on Rails JSON Processor YAML Deserialization Code Execution

2013-01-29 00:00:00

Ruby On Rails XML Processor YAML Deserialization Code Execution

2013-01-11 00:00:00

threatpost

Some Versions of Ruby on Rails Vulnerable to New Parsing Attack

2013-01-29 17:47:51

Ruby on Rails Exploit Harvests IRC Botnet

2013-05-28 18:56:05

Exploit Code, Metasploit Module Out for Ruby on Rails Flaws

2013-01-10 15:01:40

nessus

Mac OS X : OS X Server < 2.2.1 Multiple Vulnerabilities

2013-02-05 00:00:00

Fedora 17 : rubygem-activesupport-3.0.11-8.fc17 (2013-1710)

2013-02-11 00:00:00

Fedora 16 : rubygem-activesupport-3.0.10-6.fc16 (2013-1745)

2013-02-11 00:00:00

cve

CVE-2013-0333

2013-01-30 12:00:00

CVE-2013-0156

2013-01-13 22:55:00

CVE-2013-0175

2013-04-25 23:55:00

prion

Sql injection

2013-01-30 12:00:00

Type confusion

2013-01-13 22:55:00

Type confusion

2013-04-09 20:55:00

debiancve

CVE-2013-0333

2013-01-30 12:00:00

CVE-2013-0156

2013-01-13 22:55:00

CVE-2013-0175

2013-04-25 23:55:00

github

activesupport in Rails vulnerable to incorrect data conversion

2017-10-24 18:33:37

actionpack Improper Input Validation vulnerability

2017-10-24 18:33:37

nori contains Improper Input Validation

2017-10-24 18:33:37

rubygems

CVE-2013-0333 rubygem-activesupport: json to yaml parsing

2013-01-27 20:00:00

CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack

2013-01-07 20:00:00

Ruby Gem nori Parameter Parsing Remote Code Execution

2013-01-09 20:00:00

openvas

Fedora Update for rubygem-activesupport FEDORA-2013-1710

2013-02-11 00:00:00

Fedora Update for rubygem-activesupport FEDORA-2013-1710

2013-02-11 00:00:00

Fedora Update for rubygem-activesupport FEDORA-2013-4130

2013-04-02 00:00:00

fedora

[SECURITY] Fedora 17 Update: rubygem-activesupport-3.0.11-8.fc17

2013-02-10 04:38:36

[SECURITY] Fedora 16 Update: rubygem-activesupport-3.0.10-6.fc16

2013-02-10 04:28:15

[SECURITY] Fedora 17 Update: rubygem-activesupport-3.0.11-9.fc17

2013-03-30 21:30:40

suse

ruby on rails to 2.3.16 (important)

2013-02-12 10:10:39

ruby on rails to 2.3.16 (important)

2013-02-12 11:04:29

Security update for Ruby On Rails (important)

2013-03-19 18:04:46

seebug

Ruby on Rails 'convert_json_to_yaml()'方法安全漏洞

2013-01-30 00:00:00

Ruby on Rails JSON Processor YAML Deserialization Code Execution

2013-02-03 00:00:00

Ruby on Rails XML Processor YAML Deserialization Code Execution

2014-07-01 00:00:00

checkpoint_advisories

Ruby on Rails JSON Processor YAML Deserialization Code Execution - Ver2 (CVE-2013-0333)

2014-03-31 00:00:00

Ruby on Rails JSON Processor YAML Deserialization Code Execution (CVE-2013-0333)

2013-02-19 00:00:00

Ruby on Rails XML Processor YAML Deserialization Code Execution (CVE-2013-0156)

2013-01-20 00:00:00

debian

[SECURITY] [DSA 2613-1] rails security update

2013-01-30 07:33:38

[SECURITY] [DLA 172-1] libextlib-ruby security update

2015-03-14 19:01:22

[SECURITY] [DSA 2604-1] rails security update

2013-01-09 19:17:20

gitlab

Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3

2013-01-30 00:00:00

Multiple vulnerabilities in parameter parsing in Action Pack

2013-01-13 00:00:00

redhat

(RHSA-2013:0201) Critical: rubygem-activesupport security update

2013-01-28 00:00:00

(RHSA-2013:0202) Critical: rubygem-activesupport security update

2013-01-28 00:00:00

(RHSA-2013:0153) Critical: Ruby on Rails security update

2013-01-10 00:00:00

metasploit

Ruby on Rails XML Processor YAML Deserialization Scanner

2013-01-09 18:50:38

Ruby on Rails JSON Processor YAML Deserialization Scanner

2013-02-11 22:48:44

Ruby on Rails XML Processor YAML Deserialization Code Execution

2013-01-10 05:10:13

zdt

Action Pack Multiple Vulnerabilities

2013-01-09 00:00:00

Ruby On Rails XML Processor YAML Deserialization Code Execution

2013-01-11 00:00:00

kitploit

[Nmap v6.40] Free Security Scanner For Network Exploration & Security Audits

2013-08-21 01:33:00

Dawnscanner - Dawn Is A Static Analysis Security Scanner For Ruby Written Web Applications (Sinatra, Padrino And ROR Frameworks)

2018-12-11 20:43:00

securityvulns

[SECURITY] [DSA 2613-1] rails security update

2013-02-04 00:00:00

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

2013-02-04 00:00:00

Apple Mac OS X multiple security vulnerabilities

2013-03-24 00:00:00

saint

Ruby on Rails XML Processor YAML Deserialization

2013-02-15 00:00:00

Ruby on Rails XML Processor YAML Deserialization

2013-02-15 00:00:00

Ruby on Rails XML Processor YAML Deserialization

2013-02-15 00:00:00

thn

Ruby on Rails exploit could hijack unpatched servers for botnet

2013-05-30 16:53:00

Ruby on Rails exploit could hijack unpatched servers for botnet

2013-05-31 03:53:00

ubuntucve

CVE-2013-0156

2013-01-13 00:00:00

CVE-2013-1802

2013-04-09 00:00:00

CVE-2013-0285

2013-04-09 00:00:00

exploitdb

Ruby on Rails - JSON Processor YAML Deserialization Code Execution (Metasploit)

2013-01-29 00:00:00

Ruby on Rails - XML Processor YAML Deserialization Code Execution (Metasploit)

2013-01-10 00:00:00

ics

Wonderware Intelligence Tableau Server Ruby on Rails Improper Input Validation (Update A)

2013-02-21 00:00:00

freebsd

rubygem-rails -- multiple vulnerabilities

2013-01-08 00:00:00

puppet27 and puppet -- multiple vulnerabilities

2013-03-13 00:00:00

nmap

http-vuln-cve2013-0156 NSE Script

2013-04-25 03:15:33

gentoo

Ruby on Rails: Multiple vulnerabilities

2014-12-14 00:00:00

ibm

Security Bulletin: IBM Security Network Intrusion Prevention System can be affected by vulnerabilities in Ruby on Rails (CVE-2012-2660, CVE-2012-2694, CVE-2013-0156, CVE-2012-6496, CVE-2012-3424, and CVE-2012-2695)

2021-01-25 20:13:51

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

JSON

Related for UB:CVE-2013-0333