RubySec

Providing security resources for the Ruby community

CVE-2013-0156 (actionpack): Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v2: 10.0

PATCHED VERSIONS

  • ~> 2.3.15
  • ~> 3.0.19
  • ~> 3.1.10
  • >= 3.2.11

DESCRIPTION

Ruby on Rails contains a flaw in params_parser.rb of the Action Pack. The issue is triggered when a type casting error occurs during the parsing of parameters. This may allow a remote attacker to potentially execute arbitrary code.