ID CVE-2013-0277
Summary ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
References
Vulnerable Configurations
  • Ruby on Rails 3.0.0
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0
  • Ruby on Rails 3.0.0 beta
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:beta
  • Ruby on Rails 3.0.0 beta2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:beta2
  • Ruby on Rails 3.0.0 beta3
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:beta3
  • Ruby on Rails 3.0.0 beta4
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:beta4
  • Ruby on Rails 3.0.0 release candidate
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:rc
  • Ruby on Rails 3.0.0 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:rc2
  • Ruby on Rails 3.0.1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.1
  • Ruby on Rails 3.0.1 pre
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.1:pre
  • Ruby on Rails 3.0.2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.2
  • Ruby on Rails 3.0.2 pre
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.2:pre
  • Ruby on Rails 3.0.3
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.3
  • Ruby on Rails 3.0.4
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4
  • Ruby on Rails 3.0.4 release candidate
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:rc
  • Ruby on Rails 3.0.4 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:rc1
  • Ruby on Rails 3.0.5
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.5
  • Ruby on Rails 3.0.5 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.5:rc1
  • Ruby on Rails 3.0.6
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.6
  • Ruby on Rails 3.0.6 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.6:rc1
  • Ruby on Rails 3.0.6 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.6:rc2
  • Ruby on Rails 3.0.7
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.7
  • Ruby on Rails 3.0.7 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.7:rc1
  • Ruby on Rails 3.0.7 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.7:rc2
  • Ruby on Rails 3.0.8
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8
  • Ruby on Rails 3.0.8 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8:rc1
  • Ruby on Rails 3.0.8 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8:rc2
  • Ruby on Rails 3.0.8 release candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8:rc3
  • Ruby on Rails 3.0.8 release candidate 4
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8:rc4
  • Ruby on Rails 3.0.9
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9
  • Ruby on Rails 3.0.9 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc1
  • Ruby on Rails 3.0.9 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc2
  • Ruby on Rails 3.0.9 release candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc3
  • Ruby on Rails 3.0.9 release candidate 4
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc4
  • Ruby on Rails 3.0.9 release candidate 5
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc5
  • Ruby on Rails 3.0.10
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.10
  • Ruby on Rails 3.0.10 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.10:rc1
  • Ruby on Rails 3.0.11
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.11
  • Ruby on Rails 3.0.12
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.12
  • Ruby on Rails 3.0.12 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.12:rc1
  • Ruby on Rails 3.0.13
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.13
  • Ruby on Rails 3.0.13 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.13:rc1
  • Ruby on Rails 3.0.14
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.14
  • Ruby on Rails 3.0.16
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.16
  • Ruby on Rails 3.0.17
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.17
  • Ruby on Rails 3.0.18
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.18
  • Ruby on Rails 3.0.19
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.19
  • Ruby on Rails 3.0.20
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.20
  • Ruby on Rails 2.3.0
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.0
  • Ruby on Rails 2.3.1
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.1
  • Ruby on Rails 2.3.2
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.2
  • Ruby on Rails 2.3.3
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.3
  • Ruby on Rails 2.3.4
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.4
  • Ruby on Rails 2.3.9
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.9
  • Ruby on Rails 2.3.10
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.10
  • Ruby on Rails 2.3.11
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.11
  • Ruby on Rails 2.3.12
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.12
  • Ruby on Rails 2.3.13
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.13
  • Ruby on Rails 2.3.14
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.14
  • Ruby on Rails 2.3.15
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.15
  • Ruby on Rails 2.3.16
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.16
CVSS
Base: 10.0 (as of 13-02-2013 - 12:52)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-2351.NASL
    description Fix for CVE-2013-0277. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 64734
    published 2013-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64734
    title Fedora 17 : rubygem-activerecord-3.0.11-6.fc17 (2013-2351)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-28.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-28 (Ruby on Rails: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code or cause a Denial of Service condition. Furthermore, a remote attacker may be able to execute arbitrary SQL commands, change parameter names for form inputs and make changes to arbitrary records in the system, bypass intended access restrictions, render arbitrary views, inject arbitrary web script or HTML, or conduct cross-site request forgery (CSRF) attacks. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 79981
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79981
    title GLSA-201412-28 : Ruby on Rails: Multiple vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2620.NASL
    description Two vulnerabilities were discovered in Ruby on Rails, a Ruby framework for web application development. - CVE-2013-0276 The blacklist provided by the attr_protected method could be bypassed with crafted requests, having an application-specific impact. - CVE-2013-0277 In some applications, the +serialize+ helper in ActiveRecord could be tricked into deserializing arbitrary YAML data, possibly leading to remote code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64591
    published 2013-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64591
    title Debian DSA-2620-1 : rails - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-152.NASL
    description The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails 3.2 stack was updated to 3.2.12. The Ruby Rack was updated to 1.1.6. The Ruby Rack was updated to 1.2.8. The Ruby Rack was updated to 1.3.10. The Ruby Rack was updated to 1.4.5. The updates fix various security issues and bugs. - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277 : - update to version 3.2.12 (bnc#803336) CVE-2013-0276 : - update to version 3.2.12 (bnc#803336) CVE-2013-0276: issue with attr_protected where malformed input could circumvent protection - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277 : - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277 : - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to version 3.2.12 (bnc#803336) CVE-2013-0276 : - Quote numeric values being compared to non-numeric columns. Otherwise, in some database, the string column values will be coerced to a numeric allowing 0, 0.0 or false to match any string starting with a non-digit. - update to 1.1.6 (bnc#802794) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - update to 1.2.8 (bnc#802794) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - update to 1.3.10 (bnc#802794) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - ruby rack update to 1.4.5 (bnc#802794 bnc#802795) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - Fix CVE-2013-0262, symlink path traversal in Rack::File - ruby rack update to 1.4.4 (bnc#798452) - [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings (CVE-2013-0184) - ruby rack changes from 1.4.3 - Security: Prevent unbounded reads in large multipart boundaries (CVE-2013-0183) - ruby rack changes from 1.4.2 (CVE-2012-6109) - Add warnings when users do not provide a session secret - Fix parsing performance for unquoted filenames - Updated URI backports - Fix URI backport version matching, and silence constant warnings - Correct parameter parsing with empty values - Correct rackup '-I' flag, to allow multiple uses - Correct rackup pidfile handling - Report rackup line numbers correctly - Fix request loops caused by non-stale nonces with time limits - Fix reloader on Windows - Prevent infinite recursions from Response#to_ary - Various middleware better conforms to the body close specification - Updated language for the body close specification - Additional notes regarding ECMA escape compatibility issues - Fix the parsing of multiple ranges in range headers - Prevent errors from empty parameter keys - Added PATCH verb to Rack::Request - Various documentation updates - Fix session merge semantics (fixes rack-test) - Rack::Static :index can now handle multiple directories - All tests now utilize Rack::Lint (special thanks to Lars Gierth) - Rack::File cache_control parameter is now deprecated, and removed by 1.5 - Correct Rack::Directory script name escaping - Rack::Static supports header rules for sophisticated configurations - Multipart parsing now works without a Content-Length header - New logos courtesy of Zachary Scott! - Rack::BodyProxy now explicitly defines #each, useful for C extensions - Cookies that are not URI escaped no longer cause exceptions
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74900
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74900
    title openSUSE Security Update : RubyOnRails (openSUSE-SU-2013:0338-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2013-002.NASL
    description The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-002 applied. This update contains numerous security-related fixes for the following components : - CoreMedia Playback (10.7 only) - Directory Service (10.6 only) - OpenSSL - QuickDraw Manager - QuickTime - Ruby (10.6 only) - SMB (10.7 only)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 66809
    published 2013-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66809
    title Mac OS X Multiple Vulnerabilities (Security Update 2013-002)
refmap via4
apple APPLE-SA-2013-06-04-1
confirm
debian DSA-2620
mlist
  • [oss-security] 20130211 Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]
  • [rubyonrails-security] 20130211 Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]
osvdb 90073
sectrack 1028109
secunia 52112
suse openSUSE-SU-2013:0462
Last major update 05-06-2013 - 23:24
Published 12-02-2013 - 20:55
Last modified 08-12-2017 - 21:29
Back to Top