CVE-2013-0333

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions 2.3.x through 2.3.15 Ruby on Rails versions 3.0.x through 3.0.19

Description The issue affects the confidentiality, integrity, and availability of protected information. It can be exploited remotely. The problem lies in the lib/active support/json/backends/yaml.rb file, which does not properly convert JSON data to YAML data for processing by a YAML parser. This allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding.

Recommendations For Ruby on Rails versions 2.3.x through 2.3.15, update to version 2.3.16 or later. For Ruby on Rails versions 3.0.x through 3.0.19, update to version 3.0.20 or later. As a temporary workaround, consider disabling the lib/active support/json/backends/yaml.rb file until a patch is available. Restrict access to the vulnerable YAML parser to minimize the risk of exploitation. Avoid using crafted data that triggers unsafe decoding in the affected API endpoints until the issue is resolved.