- Vulnerability/
- REDHAT-BUG-892870
REDHAT-BUG-892870
First published: Tue Jan 08 2013(Updated: )
The Ruby on Rails project reports: Multiple vulnerabilities in parameter parsing in ActionPack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which could allow attackers to bypass authentication systems, inject arbitrary SQL, inject an execute arbitrary code, or perform a DoS attack on a rails application. This vulnerability has been assigned the CVE identifier <a href="https://access.redhat.com/security/cve/CVE-2013-0156">CVE-2013-0156</a>. Versions Affected: ALL versions Not affected: NONE Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15 Impact ------ The XML parameter parsing code of Ruby on Rails allows applications to automatically to cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including. This unsuitable conversion can be used by an attacker to compromise a rails application. Due to the serious nature of this vulnerability, and the fact it has been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds *immediately*. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- The work arounds differ depending on the rails version you are using. It involves disabling the YAML and Symbol type conversion from the Rails XML parser. You should place one of the following code snippets in an application initializer to ensure your application isn't vulnerable. Rails 3.2, 3.1, 3.0 --------- ActiveSupport::XmlMini::PARSING.delete("symbol") ActiveSupport::XmlMini::PARSING.delete("yaml") Rails 2.3 --------- ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol') ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby on Rails ActionPack | <=2.3.14 | |
| Ruby on Rails ActionPack | <=3.2.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2013-0156
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=674509&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=674509&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=674510&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=674510&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=674511&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=674511&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=674512&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=674512&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=893188
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675064&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675064&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675066&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675066&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675067&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675067&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675068&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675068&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675069&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675069&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675070&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675070&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675071&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675071&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675072&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675072&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675077&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675077&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675078&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675078&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675079&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675079&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675080&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=675080&action=edit
- https://access.redhat.com/security/cve/CVE-2012-0156
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=893189
- https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=847202
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=893281
- http://www.insinuator.net/2013/01/rails-yaml/
- https://access.redhat.com/knowledge/node/290903
- https://rhn.redhat.com/errata/RHSA-2013-0154.html
- https://rhn.redhat.com/errata/RHSA-2013-0153.html
- https://rhn.redhat.com/errata/RHSA-2013-0155.html
- https://bugzilla.redhat.com/show_bug.cgi?id=892870
- collector/redhat-bugzilla
- alias/CVE-2013-0156
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/references
- agent/softwarecombine
- agent/description
- agent/event
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/ruby on rails
- canonical/ruby on rails actionpack