RubySec

Providing security resources for the Ruby community

CVE-2013-0277 (activerecord): CVE-2013-0277 rubygem-activerecord: Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

SEVERITY

CVSS v2: 10.0 (High)

PATCHED VERSIONS

  • ~> 2.3.17
  • >= 3.1.0

DESCRIPTION

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.