Ruby on Rails JSON Processor YAML Deserialization Code Execution
Vulnerability: Execution of arbitrary code in Ruby on Rails
Number of vulnerabilities: 1
CVE ID: CVE-2013-0333
Vector of operation: Remote
Impact: System Compromise
Be exploited: PoC code
Affected Products: Ruby on Rails 2.3.x, Ruby on Rails 3.0.x
Affected versions: Ruby on Rails versions prior to 3.0.20 and 2.3.16.
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused due to input validation error in the method “convert_json_to_yaml ()” in the JSON Parser during decoding YAML data. A remote user can execute arbitrary code on the target system.
Manufacturer URL: http://rubyonrails.org/
Solution: Update to version 3.0.20 or 2.3.16 from the manufacturer.