RubySec

Providing security resources for the Ruby community

CVE-2013-0277 (activerecord): Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote Code Execution

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

SEVERITY

CVSS v2: 10.0

PATCHED VERSIONS

  • ~> 2.3.17
  • >= 3.1.0

DESCRIPTION

Ruby on Rails contains a flaw in the +serialize+ helper in the Active Record. The issue is triggered when the system is configured to allow users to directly provide values to be serialized and deserialized using YAML. With a specially crafted YAML attribute, a remote attacker can deserialize arbitrary YAML and execute code associated with it.