1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: Ruby On Rails CVE-2013-0333

Web Attack: Ruby On Rails CVE-2013-0333

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts to exploit an arbitrary code execution vulnerability in Ruby on Rails.

Additional Information

Ruby on Rails is a web application framework for multiple platforms.

Ruby on Rails is prone to a security vulnerability because it fails to sanitize user-supplied input when decoding YAML input. Specifically, this issue affects the 'convert_json_to_yaml()' method of the JSON Parser.

Successful exploits may allow an attacker to bypass certain security restrictions, execute arbitrary code in the context of the affected application, exploit latent vulnerabilities in the underlying database, deny service to legitimate users, or perform unauthorized actions. Other attacks are also possible.

This issue is fixed in:

Ruby on Rails 2.3.16
Ruby on Rails 3.0.20

Affected

  • SuSE WebYaST 1.2
  • + S.u.S.E. Linux 8.1
  • + S.u.S.E. Linux Personal 9.1
  • + S.u.S.E. Linux Personal 9.0 x86_64
  • + S.u.S.E. Linux Personal 9.0
  • + S.u.S.E. Linux Personal 8.2
  • SuSE Studio Standard Edition 1.2
  • SuSE Studio Onsite 1.2
  • SuSE Studio Extension for System z 1.2
  • SuSE openSUSE 12.1
  • SuSE openSUSE 11.4
  • Ruby on Rails Ruby on Rails 3.0.13
  • Ruby on Rails Ruby on Rails 3.0.12
  • Ruby on Rails Ruby on Rails 3.0.11
  • Ruby on Rails Ruby on Rails 3.0.6
  • Ruby on Rails Ruby on Rails 3.0.5
  • Ruby on Rails Ruby on Rails 3.0.4
  • Ruby on Rails Ruby on Rails 3.0.3
  • Ruby on Rails Ruby on Rails 3.0.2
  • Ruby on Rails Ruby on Rails 3.0.1
  • Ruby on Rails Ruby on Rails 3.0
  • Ruby on Rails Ruby on Rails 2.3.11
  • Ruby on Rails Ruby on Rails 2.3.10
  • Ruby on Rails Ruby on Rails 2.3.9
  • Ruby on Rails Ruby on Rails 2.3.5
  • Ruby on Rails Ruby on Rails 2.3.4
  • Ruby on Rails Ruby on Rails 2.3.3
  • Ruby on Rails Ruby on Rails 2.3.2
  • Ruby on Rails Ruby on Rails 3.0.8
  • Ruby on Rails Ruby on Rails 3.0.7
  • Ruby on Rails Ruby on Rails 3.0.10
  • Ruby on Rails Ruby on Rails 2.3.14
  • Ruby on Rails Ruby on Rails 2.3.13
  • Ruby on Rails Ruby on Rails 2.3.12
  • Red Hat Fedora 17
  • Red Hat Fedora 16
  • Debian Linux 6.0 sparc
  • Debian Linux 6.0 s/390
  • Debian Linux 6.0 powerpc
  • Debian Linux 6.0 mips
  • Debian Linux 6.0 ia-64
  • Debian Linux 6.0 ia-32
  • Debian Linux 6.0 arm
  • Debian Linux 6.0 amd64
  • Avaya Voice Portal 5.1.2
  • Avaya Voice Portal 5.1.1
  • Avaya Voice Portal 5.1 SP1
  • Avaya Voice Portal 5.1
  • Avaya Voice Portal 5.0 SP2
  • Avaya Voice Portal 5.0 SP1
  • Avaya Voice Portal 5.0
  • Avaya Secure Access Link Gateway 2.0
  • Avaya Secure Access Link Gateway 1.8
  • Avaya Secure Access Link Gateway 1.5
  • Avaya Integrated Management Suite (IMS) 0
  • Avaya CVLAN
  • Avaya Aura System Manager 6.2
  • Avaya Aura System Manager 6.1.3
  • Avaya Aura System Manager 6.1.2
  • Avaya Aura System Manager 6.1.1
  • Avaya Aura System Manager 6.1 SP2
  • Avaya Aura System Manager 6.1 Sp1
  • Avaya Aura System Manager 6.1
  • Avaya Aura System Manager 6.0 SP1
  • Avaya Aura System Manager 6.0
  • Avaya Aura Presence Services 6.1.1
  • Avaya Aura Presence Services 6.1
  • Avaya Aura Presence Services 6.0
  • Avaya Aura Presence Services 5.2
  • Avaya Aura Experience Portal 6.0
  • Avaya Aura Application Enablement Services 5.2.1
  • Avaya Aura Application Enablement Services 4.2.3
  • Avaya Aura Application Enablement Services 4.2.2
  • Avaya Aura Application Enablement Services 4.2.1
  • Avaya Aura Application Enablement Services 4.0.1
  • Avaya Aura Application Enablement Services 5.2.3
  • Avaya Aura Application Enablement Services 5.2.2
  • Avaya Aura Application Enablement Services 5.2
  • Avaya Aura Application Enablement Services 4.2
  • Avaya Aura Application Enablement Services 4.1
  • Avaya Aura Application Enablement Services 4.0
  • Apple Mac Os X Server 10.7.4
  • Apple Mac Os X Server 10.7.3
  • Apple Mac Os X Server 10.7.2
  • Apple Mac Os X Server 10.7.1
  • Apple Mac Os X Server 10.7
  • Apple Mac Os X Server 10.6.8
  • Apple Mac Os X 10.7.4
  • Apple Mac Os X 10.7.3
  • Apple Mac Os X 10.7.2
  • Apple Mac Os X 10.7.1
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube