Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2013-0333

Published: 30/01/2013 Updated: 13/02/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 756
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Rails

Vulnerability Summary

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x prior to 2.3.16 and 3.0.x prior to 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote malicious users to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

Vulnerable Product Search on Vulmon Subscribe to Product

rubyonrails rails 2.3.0

rubyonrails rails 2.3.1

rubyonrails rails 2.3.2

rubyonrails rails 2.3.3

rubyonrails rails 2.3.4

rubyonrails rails 2.3.9

rubyonrails rails 2.3.10

rubyonrails rails 2.3.11

rubyonrails rails 2.3.12

rubyonrails rails 2.3.13

rubyonrails rails 2.3.14

rubyonrails rails 2.3.15

rubyonrails ruby on rails 3.0.4

rubyonrails rails 3.0.0

rubyonrails rails 3.0.1

rubyonrails rails 3.0.2

rubyonrails rails 3.0.10

rubyonrails rails 3.0.12

rubyonrails rails 3.0.13

rubyonrails rails 3.0.3

rubyonrails rails 3.0.11

rubyonrails rails 3.0.14

rubyonrails rails 3.0.16

rubyonrails rails 3.0.17

rubyonrails rails 3.0.18

rubyonrails rails 3.0.19

rubyonrails rails 3.0.4

rubyonrails rails 3.0.5

rubyonrails rails 3.0.6

rubyonrails rails 3.0.7

rubyonrails rails 3.0.8

rubyonrails rails 3.0.9

Vendor Advisories

Red Hat: Critical: rubygem-activesupport security update
Synopsis Critical: rubygem-activesupport security update Type/Severity Security Advisory: Critical Topic An updated rubygem-activesupport package that fixes one security issue isnow available for Red Hat Subscription Asset ManagerThe Red Hat Security Response Team has rated this update as having criticalse ...
Red Hat: Critical: rubygem-activesupport security update
Synopsis Critical: rubygem-activesupport security update Type/Severity Security Advisory: Critical Topic An updated rubygem-activesupport package that fixes one security issue isnow available for Red Hat OpenShift Enterprise 10The Red Hat Security Response Team has rated this update as having criticalsecu ...
Debian CVElist Bug Report Logs: rails: CVE-2013-0333: Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3
Debian Bug report logs - #699226 rails: CVE-2013-0333: Vulnerability in JSON Parser in Ruby on Rails 30 and 23 Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Salvatore Bonaccorso & ...
Debian Security Advisories: DSA-2613-1 rails -- insufficient input validation
Lawrence Pit discovered that Ruby on Rails, a web development framework, is vulnerable to a flaw in the parsing of JSON to YAML Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML The vulnerability has been addressed by removing the YAML backend and adding the OkJson backend For the stable distributio ...

Exploits

Exploit DB: Ruby on Rails - JSON Processor YAML Deserialization Code Execution (Metasploit)
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit ...

Github Repositories

https://github.com/heroku/heroku-CVE-2013-0156

Inspect all of your heroku apps to see if they are running a vulnerable version of Rails

heroku-CVE-2013-0156 This vulnerability has been supplanted by CVE-2013-0333 See groupsgooglecom/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo for more details A replacement for this script, covering CVE-2013-0333, can be found at githubcom/heroku/heroku-CVE-2013-0333

https://github.com/heroku/heroku-CVE-2013-0333

heroku-CVE-2013-0333 Inspect all of your heroku apps to see if they are running a vulnerable version of Rails Background A serious security vulnerability has been found in the Ruby on Rails framework This exploit affects nearly all applications running Rails versions 23 and 30, and a patch has been made available Rails developers can get a full list of all your affected Her

https://github.com/whitequark/disable_eval

The only safe eval is no eval.

Disable Eval The only safe eval is no eval This gem provides the method DisableEvalprotect, which does the following: Undefines all builtin eval methods Verifies that no one has aliased those methods to other names Note that it is not practically possible to eliminate every single way of evaluating code if you can arbitrary methods on arbitrary objects with arbitrary argu

References

NVD-CWE-Otherhttps://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplainhttp://rhn.redhat.com/errata/RHSA-2013-0203.htmlhttp://www.kb.cert.org/vuls/id/628463http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/http://www.debian.org/security/2013/dsa-2613http://rhn.redhat.com/errata/RHSA-2013-0201.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0202.htmlhttp://lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2013/Jun/msg00000.htmlhttp://support.apple.com/kb/HT5784https://puppet.com/security/cve/cve-2013-0333https://access.redhat.com/errata/RHSA-2013:0201https://nvd.nist.govhttps://github.com/heroku/heroku-CVE-2013-0156https://www.exploit-db.com/exploits/24434/https://www.kb.cert.org/vuls/id/628463
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-1183hard-codedCVE-2024-28254CVE-2023-43790buffer overflowbypassCVE-2024-32633CVE-2024-1874CVE-2024-23558
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook