CVE-2013-0156

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions 2.3.15 and earlier Ruby on Rails versions 3.0.x through 3.0.18 Ruby on Rails versions 3.1.x through 3.1.9 Ruby on Rails versions 3.2.x through 3.2.10

Description The issue allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service involving nested XML entity references, by leveraging Action Pack support for YAML type conversion or Symbol type conversion. This is due to the improper restriction of casts of string values in the active support/core ext/hash/conversions.rb file.

Recommendations For Ruby on Rails version 2.3.15 and earlier, update to version 2.3.15 or later. For Ruby on Rails versions 3.0.x through 3.0.18, update to version 3.0.19 or later. For Ruby on Rails versions 3.1.x through 3.1.9, update to version 3.1.10 or later. For Ruby on Rails versions 3.2.x through 3.2.10, update to version 3.2.11 or later.