ID CVE-2013-0333
Summary lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
References
Vulnerable Configurations
  • Ruby on Rails 2.3.0
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.0
  • Ruby on Rails 2.3.1
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.1
  • Ruby on Rails 2.3.2
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.2
  • Ruby on Rails 2.3.3
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.3
  • Ruby on Rails 2.3.4
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.4
  • Ruby on Rails 2.3.9
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.9
  • Ruby on Rails 2.3.10
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.10
  • Ruby on Rails 2.3.11
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.11
  • Ruby on Rails 2.3.12
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.12
  • Ruby on Rails 2.3.13
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.13
  • Ruby on Rails 2.3.14
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.14
  • Ruby on Rails 2.3.15
    cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.15
  • Ruby on Rails 3.0.0
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0
  • Ruby on Rails 3.0.0 beta
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:beta
  • Ruby on Rails 3.0.0 beta2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:beta2
  • Ruby on Rails 3.0.0 beta3
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:beta3
  • Ruby on Rails 3.0.0 beta4
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:beta4
  • Ruby on Rails 3.0.0 release candidate
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:rc
  • Ruby on Rails 3.0.0 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.0:rc2
  • Ruby on Rails 3.0.1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.1
  • Ruby on Rails 3.0.1 pre
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.1:pre
  • Ruby on Rails 3.0.2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.2
  • Ruby on Rails 3.0.2 pre
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.2:pre
  • Ruby on Rails 3.0.3
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.3
  • Ruby on Rails 3.0.4
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4
  • Ruby on Rails 3.0.4 release candidate
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:rc
  • Ruby on Rails 3.0.4 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:rc1
  • Ruby on Rails 3.0.5
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.5
  • Ruby on Rails 3.0.5 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.5:rc1
  • Ruby on Rails 3.0.6
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.6
  • Ruby on Rails 3.0.6 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.6:rc1
  • Ruby on Rails 3.0.6 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.6:rc2
  • Ruby on Rails 3.0.7
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.7
  • Ruby on Rails 3.0.7 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.7:rc1
  • Ruby on Rails 3.0.7 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.7:rc2
  • Ruby on Rails 3.0.8
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8
  • Ruby on Rails 3.0.8 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8:rc1
  • Ruby on Rails 3.0.8 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8:rc2
  • Ruby on Rails 3.0.8 release candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8:rc3
  • Ruby on Rails 3.0.8 release candidate 4
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.8:rc4
  • Ruby on Rails 3.0.9
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9
  • Ruby on Rails 3.0.9 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc1
  • Ruby on Rails 3.0.9 release candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc2
  • Ruby on Rails 3.0.9 release candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc3
  • Ruby on Rails 3.0.9 release candidate 4
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc4
  • Ruby on Rails 3.0.9 release candidate 5
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.9:rc5
  • Ruby on Rails 3.0.10
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.10
  • Ruby on Rails 3.0.10 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.10:rc1
  • Ruby on Rails 3.0.11
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.11
  • Ruby on Rails 3.0.12
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.12
  • Ruby on Rails 3.0.12 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.12:rc1
  • Ruby on Rails 3.0.13
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.13
  • Ruby on Rails 3.0.13 release candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.13:rc1
  • Ruby on Rails 3.0.14
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.14
  • Ruby on Rails 3.0.16
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.16
  • Ruby on Rails 3.0.17
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.17
  • Ruby on Rails 3.0.18
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.18
  • Ruby on Rails 3.0.19
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.19
CVSS
Base: 7.5 (as of 30-01-2013 - 09:19)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Ruby on Rails JSON Processor YAML Deserialization Code Execution. CVE-2013-0333. Remote exploits for multiple platform
id EDB-ID:24434
last seen 2016-02-02
modified 2013-01-29
published 2013-01-29
reporter metasploit
source https://www.exploit-db.com/download/24434/
title Ruby on Rails JSON Processor YAML Deserialization Code Execution
metasploit via4
  • description This module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the JSON request processor.
    id MSF:AUXILIARY/SCANNER/HTTP/RAILS_JSON_YAML_SCANNER
    last seen 2019-03-21
    modified 2017-07-24
    published 2013-02-11
    reliability Normal
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb
    title Ruby on Rails JSON Processor YAML Deserialization Scanner
  • description This module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This vulnerability is very similar to CVE-2013-0156. This module has been tested successfully on RoR 3.0.9, 3.0.19, and 2.3.15. The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.
    id MSF:EXPLOIT/MULTI/HTTP/RAILS_JSON_YAML_CODE_EXEC
    last seen 2019-03-20
    modified 2017-07-24
    published 2013-01-29
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_json_yaml_code_exec.rb
    title Ruby on Rails JSON Processor YAML Deserialization Code Execution
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-28.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-28 (Ruby on Rails: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code or cause a Denial of Service condition. Furthermore, a remote attacker may be able to execute arbitrary SQL commands, change parameter names for form inputs and make changes to arbitrary records in the system, bypass intended access restrictions, render arbitrary views, inject arbitrary web script or HTML, or conduct cross-site request forgery (CSRF) attacks. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 79981
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79981
    title GLSA-201412-28 : Ruby on Rails: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1745.NASL
    description Fixes CVE-2013-0333. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 64542
    published 2013-02-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64542
    title Fedora 16 : rubygem-activesupport-3.0.10-6.fc16 (2013-1745)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0201.NASL
    description An updated rubygem-activesupport package that fixes one security issue is now available for Red Hat Subscription Asset Manager. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Ruby on Rails is a model-view-controller (MVC) framework for web application development. Active Support provides support and utility classes used by the Ruby on Rails framework. A flaw was found in the way Active Support performed the parsing of JSON requests by translating them to YAML. A remote attacker could use this flaw to execute arbitrary code with the privileges of a Ruby on Rails application, perform SQL injection attacks, or bypass the authentication using a specially-created JSON request. (CVE-2013-0333) Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original reporter. Users of Red Hat Subscription Asset Manager are advised to upgrade to this updated package, which resolves this issue. Katello must be restarted ('service katello restart') for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64281
    published 2013-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64281
    title RHEL 6 : rubygem-activesupport in Subscription Asset Manager (RHSA-2013:0201)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1710.NASL
    description Fixes CVE-2013-0333. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 64540
    published 2013-02-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64540
    title Fedora 17 : rubygem-activesupport-3.0.11-8.fc17 (2013-1710)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2013-002.NASL
    description The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-002 applied. This update contains numerous security-related fixes for the following components : - CoreMedia Playback (10.7 only) - Directory Service (10.6 only) - OpenSSL - QuickDraw Manager - QuickTime - Ruby (10.6 only) - SMB (10.7 only)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 66809
    published 2013-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66809
    title Mac OS X Multiple Vulnerabilities (Security Update 2013-002)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0202.NASL
    description An updated rubygem-activesupport package that fixes one security issue is now available for Red Hat OpenShift Enterprise 1.0. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Ruby on Rails is a model-view-controller (MVC) framework for web application development. Active Support provides support and utility classes used by the Ruby on Rails framework. A flaw was found in the way Active Support performed the parsing of JSON requests by translating them to YAML. A remote attacker could use this flaw to execute arbitrary code with the privileges of a Ruby on Rails application, perform SQL injection attacks, or bypass the authentication using a specially-created JSON request. (CVE-2013-0333) Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original reporter. All users of Red Hat OpenShift Enterprise are advised to upgrade to this updated package, which resolves this issue. For Red Hat OpenShift Enterprise administrators, the openshift-broker and openshift-console services must be restarted for this update to take effect. Users of OpenShift are advised to update their own applications that are running Ruby on Rails.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 119430
    published 2018-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119430
    title RHEL 6 : rubygem-activesupport (RHSA-2013:0202)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SERVER_2_2_1.NASL
    description The remote Mac OS X 10.8 host has a version of OS X Server installed that is prior to 2.2.1. It is, therefore, affected by the following vulnerabilities : - A type casting issue exists in Ruby on Rails due to improper handling of XML parameters. A remote attacker can exploit this issue to execute arbitrary code through either the Profile Manager or Wiki Server components. (CVE-2013-0156) - A type casting issue exists in Ruby on Rails due to improper handling of JSON data. A remote attacker can exploit this to execute arbitrary code through the Wiki Server component. (CVE-2013-0333)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 64476
    published 2013-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64476
    title Mac OS X : OS X Server < 2.2.1 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-106.NASL
    description This update updates the RubyOnRails 2.3 stack to 2.3.16, also this update updates the RubyOnRails 3.2 stack to 3.2.11. Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed. CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74881
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74881
    title openSUSE Security Update : ruby (openSUSE-SU-2013:0278-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2013-001.NASL
    description The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-001 applied. This update contains numerous security-related fixes for the following components : - Apache - CoreTypes (10.7 only) - International Components for Unicode - Identity Services (10.7 only) - ImageIO - Messages Server (Server only) - PDFKit - Podcast Producer Server (Server only) - PostgreSQL (Server only) - Profile Manager (10.7 Server only) - QuickTime - Ruby (10.6 Server only) - Security - Software Update - Wiki Server (10.7 Server only) Note that the update also runs a malware removal tool that will remove the most common variants of malware.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 65578
    published 2013-03-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65578
    title Mac OS X Multiple Vulnerabilities (Security Update 2013-001)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2613.NASL
    description Lawrence Pit discovered that Ruby on Rails, a web development framework, is vulnerable to a flaw in the parsing of JSON to YAML. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML. The vulnerability has been addressed by removing the YAML backend and adding the OkJson backend.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64364
    published 2013-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64364
    title Debian DSA-2613-1 : rails - insufficient input validation
packetstorm via4
data source https://packetstormsecurity.com/files/download/119872/rails_json_yaml_code_exec.rb.txt
id PACKETSTORM:119872
last seen 2016-12-05
published 2013-01-29
reporter egypt
source https://packetstormsecurity.com/files/119872/Ruby-on-Rails-JSON-Processor-YAML-Deserialization-Code-Execution.html
title Ruby on Rails JSON Processor YAML Deserialization Code Execution
redhat via4
advisories
  • rhsa
    id RHSA-2013:0201
  • rhsa
    id RHSA-2013:0202
  • rhsa
    id RHSA-2013:0203
refmap via4
apple
  • APPLE-SA-2013-03-14-1
  • APPLE-SA-2013-06-04-1
cert-vn VU#628463
confirm
debian DSA-2613
mlist [rubyonrails-security] 20130129 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3
Last major update 05-06-2013 - 23:24
Published 30-01-2013 - 07:00
Last modified 08-12-2017 - 21:29
Back to Top