The JSON gem prior to 1.5.5, 1.6.x prior to 1.6.8, and 1.7.x prior to 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
heroku-CVE-2013-0269 Inspect all of your heroku apps to see if they are running a vulnerable version of JSON Background A security vulnerability has been found in the Ruby JSON gem This is the root cause for the recently-announced MySQL injection issue in Rails A new release of the JSON gem is available Developers can get a full list of all your affected Heroku applications
Web app framework Ruby on Rails patched two security flaws this week in the open source framework that could have led to denial of service attacks and remote execution vulnerabilities.
With builds 3.2.12, 3.1.11 and 2.3.17, the framework fixed a serialized attributes YAML vulnerability (CVE-2013-0277) that could have let developers give users access to the +serialize+ helper in ActiveRecord. From there an attacker could have used a specially crafted request to trick the functio...