- Vulnerability/
- REDHAT-BUG-903440
REDHAT-BUG-903440
First published: Thu Jan 24 2013(Updated: )
The Ruby on Rails project reports: Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3 There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier <a href="https://access.redhat.com/security/cve/CVE-2013-0333">CVE-2013-0333</a>. Versions Affected: 2.3.x, 3.0.x Not Affected: 3.1.x, 3.2.x Fixed Versions: 3.0.20, 2.3.16 Impact ------ The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends. One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML. Note: This is a seperate vulnerability to <a href="https://access.redhat.com/security/cve/CVE-2013-0156">CVE-2013-0156</a>, if you are running a 2.3 or 3.0 application you must still take action to protect your application. Releases -------- The 3.0.20 and 2.3.16 releases are available at the normal locations. Workarounds ----------- To work around this vulnerability you need to switch backends to the JsonGem backend. Place this code in an application initializer: ActiveSupport::JSON.backend = "JSONGem" If you are running Ruby 1.8 you will need to ensure that the json or json_pure gems are installed and in your application's Gemfile. Ruby 1.9 includes this code already. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 2-3-json-parser.patch - Patch for 2.3 series * 3-0-json-parser.patch - Patch for 3.0 series Please note that only the 2.3.x, 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Lawrence Pit of Mirror42 for discovering the vulnerability and working responsibly with us to ensure we shipped a fix.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby on Rails | >=2.3.0<2.4.0>=3.0.0<3.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2013-0333
- https://access.redhat.com/security/cve/CVE-2013-0156
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=686419&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=686419&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=686420&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=686420&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=688771&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=688771&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=688784
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=688784&action=edit
- https://brewweb.devel.redhat.com/taskinfo?taskID=5326330
- http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
- https://rhn.redhat.com/errata/RHSA-2013-0202.html
- https://rhn.redhat.com/errata/RHSA-2013-0201.html
- https://rhn.redhat.com/errata/RHSA-2013-0203.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=905373
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=905374
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=905375
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=905376
- https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
- https://bugzilla.redhat.com/show_bug.cgi?id=903440
Frequently Asked Questions
What is the severity of REDHAT-BUG-903440?
The severity of REDHAT-BUG-903440 is high, as it can lead to severe security issues, including unauthorized access and code execution.
How do I fix REDHAT-BUG-903440?
To fix REDHAT-BUG-903440, upgrade your Ruby on Rails version to at least 3.1.0 or 2.4.0, as these versions contain security patches.
Who is affected by REDHAT-BUG-903440?
Any applications running Ruby on Rails version 2.3.x or 3.0.x are affected by REDHAT-BUG-903440.
What types of attacks can be executed due to REDHAT-BUG-903440?
Due to REDHAT-BUG-903440, attackers can bypass authentication, inject SQL, execute arbitrary code, or launch DoS attacks.
When was REDHAT-BUG-903440 reported?
REDHAT-BUG-903440 was reported in 2013, highlighting vulnerabilities in the JSON parser used in older Ruby on Rails versions.
- collector/redhat-bugzilla
- alias/CVE-2013-0333
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/ruby on rails
- canonical/ruby on rails