CVE-2013-0277
First published: Wed Feb 13 2013(Updated: )
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/activerecord | >=3.0.0<3.1.0 | 3.1.0 |
| rubygems/activerecord | <2.3.17 | 2.3.17 |
| Ruby on Rails | =3.0.0 | |
| Ruby on Rails | =3.0.0-beta | |
| Ruby on Rails | =3.0.0-beta2 | |
| Ruby on Rails | =3.0.0-beta3 | |
| Ruby on Rails | =3.0.0-beta4 | |
| Ruby on Rails | =3.0.0-rc | |
| Ruby on Rails | =3.0.0-rc2 | |
| Ruby on Rails | =3.0.1 | |
| Ruby on Rails | =3.0.1-pre | |
| Ruby on Rails | =3.0.2 | |
| Ruby on Rails | =3.0.2-pre | |
| Ruby on Rails | =3.0.3 | |
| Ruby on Rails | =3.0.4-rc1 | |
| Ruby on Rails | =3.0.5 | |
| Ruby on Rails | =3.0.5-rc1 | |
| Ruby on Rails | =3.0.6 | |
| Ruby on Rails | =3.0.6-rc1 | |
| Ruby on Rails | =3.0.6-rc2 | |
| Ruby on Rails | =3.0.7 | |
| Ruby on Rails | =3.0.7-rc1 | |
| Ruby on Rails | =3.0.7-rc2 | |
| Ruby on Rails | =3.0.8 | |
| Ruby on Rails | =3.0.8-rc1 | |
| Ruby on Rails | =3.0.8-rc2 | |
| Ruby on Rails | =3.0.8-rc3 | |
| Ruby on Rails | =3.0.8-rc4 | |
| Ruby on Rails | =3.0.9 | |
| Ruby on Rails | =3.0.9-rc1 | |
| Ruby on Rails | =3.0.9-rc2 | |
| Ruby on Rails | =3.0.9-rc3 | |
| Ruby on Rails | =3.0.9-rc4 | |
| Ruby on Rails | =3.0.9-rc5 | |
| Ruby on Rails | =3.0.10 | |
| Ruby on Rails | =3.0.10-rc1 | |
| Ruby on Rails | =3.0.11 | |
| Ruby on Rails | =3.0.12 | |
| Ruby on Rails | =3.0.12-rc1 | |
| Ruby on Rails | =3.0.13 | |
| Ruby on Rails | =3.0.13-rc1 | |
| Ruby on Rails | =3.0.14 | |
| Ruby on Rails | =3.0.16 | |
| Ruby on Rails | =3.0.17 | |
| Ruby on Rails | =3.0.18 | |
| Ruby on Rails | =3.0.19 | |
| Ruby on Rails | =3.0.20 | |
| Ruby on Rails | =3.0.4 | |
| Ruby on Rails | =2.3.0 | |
| Ruby on Rails | =2.3.1 | |
| Ruby on Rails | =2.3.2 | |
| Ruby on Rails | =2.3.3 | |
| Ruby on Rails | =2.3.4 | |
| Ruby on Rails | =2.3.9 | |
| Ruby on Rails | =2.3.10 | |
| Ruby on Rails | =2.3.11 | |
| Ruby on Rails | =2.3.12 | |
| Ruby on Rails | =2.3.13 | |
| Ruby on Rails | =2.3.14 | |
| Ruby on Rails | =2.3.15 | |
| Ruby on Rails | =2.3.16 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2013-0277
- https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://support.apple.com/kb/HT5784
- http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
- http://www.debian.org/security/2013/dsa-2620
- http://www.openwall.com/lists/oss-security/2013/02/11/6
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0277.yml
- https://puppet.com/security/cve/cve-2013-0277
- http://securitytracker.com/id?1028109
- https://github.com/advisories/GHSA-fhj9-cjjh-27vm (Advisory)
- http://secunia.com/advisories/52112
- http://www.osvdb.org/90073
Frequently Asked Questions
What is the severity of CVE-2013-0277?
CVE-2013-0277 has a severity level that allows for denial of service and the potential execution of arbitrary code.
How do I fix CVE-2013-0277?
To fix CVE-2013-0277, upgrade ActiveRecord to version 2.3.17 or 3.1.0 or later.
Which versions of ActiveRecord are affected by CVE-2013-0277?
CVE-2013-0277 affects ActiveRecord versions prior to 2.3.17 and 3.0.x versions before 3.1.0.
When was CVE-2013-0277 discovered?
CVE-2013-0277 was discovered and published in early 2013.
What kind of attack does CVE-2013-0277 enable?
CVE-2013-0277 enables remote attackers to conduct denial of service attacks or execute arbitrary code through crafted serialized attributes.
- collector/github-advisory-latest
- alias/GHSA-fhj9-cjjh-27vm
- alias/CVE-2013-0277
- collector/github-advisory
- agent/author
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/rubygems
- vendor/rubyonrails
- canonical/ruby on rails
- version/ruby on rails/3.0.0
- version/ruby on rails/3.0.0-beta
- version/ruby on rails/3.0.0-beta2
- version/ruby on rails/3.0.0-beta3
- version/ruby on rails/3.0.0-beta4
- version/ruby on rails/3.0.0-rc
- version/ruby on rails/3.0.0-rc2
- version/ruby on rails/3.0.1
- version/ruby on rails/3.0.1-pre
- version/ruby on rails/3.0.2
- version/ruby on rails/3.0.2-pre
- version/ruby on rails/3.0.3
- version/ruby on rails/3.0.4-rc1
- version/ruby on rails/3.0.5
- version/ruby on rails/3.0.5-rc1
- version/ruby on rails/3.0.6
- version/ruby on rails/3.0.6-rc1
- version/ruby on rails/3.0.6-rc2
- version/ruby on rails/3.0.7
- version/ruby on rails/3.0.7-rc1
- version/ruby on rails/3.0.7-rc2
- version/ruby on rails/3.0.8
- version/ruby on rails/3.0.8-rc1
- version/ruby on rails/3.0.8-rc2
- version/ruby on rails/3.0.8-rc3
- version/ruby on rails/3.0.8-rc4
- version/ruby on rails/3.0.9
- version/ruby on rails/3.0.9-rc1
- version/ruby on rails/3.0.9-rc2
- version/ruby on rails/3.0.9-rc3
- version/ruby on rails/3.0.9-rc4
- version/ruby on rails/3.0.9-rc5
- version/ruby on rails/3.0.10
- version/ruby on rails/3.0.10-rc1
- version/ruby on rails/3.0.11
- version/ruby on rails/3.0.12
- version/ruby on rails/3.0.12-rc1
- version/ruby on rails/3.0.13
- version/ruby on rails/3.0.13-rc1
- version/ruby on rails/3.0.14
- version/ruby on rails/3.0.16
- version/ruby on rails/3.0.17
- version/ruby on rails/3.0.18
- version/ruby on rails/3.0.19
- version/ruby on rails/3.0.20
- version/ruby on rails/3.0.4
- version/ruby on rails/2.3.0
- version/ruby on rails/2.3.1
- version/ruby on rails/2.3.2
- version/ruby on rails/2.3.3
- version/ruby on rails/2.3.4
- version/ruby on rails/2.3.9
- version/ruby on rails/2.3.10
- version/ruby on rails/2.3.11
- version/ruby on rails/2.3.12
- version/ruby on rails/2.3.13
- version/ruby on rails/2.3.14
- version/ruby on rails/2.3.15
- version/ruby on rails/2.3.16