Developers have eliminated dangerous vulnerability in Ruby on Rails, which allows the execution of arbitrary code on the system.
Developers of the popular framework has released a security update that fixes a critical vulnerability in the output JSON data. The vulnerability allows an attacker to execute arbitrary code via a specially crafted HTTP POST request containing the JSON code to insert YAML.
Vulnerabilities affect versions Ruby on Rails 3.0.19 or 2.3.15. Earlier versions may also be affected by this vulnerability.
Recall that a few weeks ago in the network has an exploit that uses a vulnerability in the XML handler for Ruby on Rails. So this is the second dangerous vulnerability in the framework, in January of this year. Last year, for the Ruby on Rails SecurityLab.ru released 5 security notifications, which have been described 10 vulnerabilities. None of the vulnerabilities in 2012, is not at a high risk rating.
The vulnerability is available at: http://malwarelist.net/2013/01/30/execution-of-arbitrary-code-in-ruby-on-rails/
We encourages our readers to establish the last version of the software 3.0.20 or 2.3.16 from a site of the producer.
Manufacturer URL: http://rubyonrails.org/