CVE-2013-0333 — rails - insufficient input validation

Description

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

How to fix CVE-2013-0333

To remediate CVE-2013-0333, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2.3.14.1 or later
—upgrade to 2.3.5-1.2+squeeze6 or later
—upgrade to 2.3.16 or later

Is CVE-2013-0333 being exploited?

Likely — EPSS is 91.8%, placing CVE-2013-0333 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

from 0, < 2.3.14.1
from 0, < 2.3.5-1.2+squeeze6
>= 2.3.2, < 2.3.16

References (21)

ADVISORYgithub.com/advisories/GHSA-xgr2-v94m-rc9g
ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-0333
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-0333
WEBlists.apple.com/archives/security-announce/2013/Jun/msg00000.html