Vulnerability Database
289,782
Total vulnerabilities in the database
CVE-2013-0333
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
| Software | From | Fixed in |
|---|---|---|
| rubyonrails / rails | 2.3.0 | 2.3.0.x |
| rubyonrails / rails | 2.3.1 | 2.3.1.x |
| rubyonrails / rails | 2.3.2 | 2.3.2.x |
| rubyonrails / rails | 2.3.3 | 2.3.3.x |
| rubyonrails / rails | 2.3.4 | 2.3.4.x |
| rubyonrails / rails | 2.3.9 | 2.3.9.x |
| rubyonrails / rails | 2.3.10 | 2.3.10.x |
| rubyonrails / rails | 2.3.11 | 2.3.11.x |
| rubyonrails / rails | 2.3.12 | 2.3.12.x |
| rubyonrails / rails | 2.3.13 | 2.3.13.x |
| rubyonrails / rails | 2.3.14 | 2.3.14.x |
| rubyonrails / rails | 2.3.15 | 2.3.15.x |
| rubyonrails / ruby_on_rails | 3.0.4 | 3.0.4.x |
| rubyonrails / rails | 3.0.0-beta | 3.0.0-beta.x |
| rubyonrails / rails | 3.0.0-beta2 | 3.0.0-beta2.x |
| rubyonrails / rails | 3.0.0-beta3 | 3.0.0-beta3.x |
| rubyonrails / rails | 3.0.0-beta4 | 3.0.0-beta4.x |
| rubyonrails / rails | 3.0.0-rc | 3.0.0-rc.x |
| rubyonrails / rails | 3.0.0-rc2 | 3.0.0-rc2.x |
| rubyonrails / rails | 3.0.1-pre | 3.0.1-pre.x |
| rubyonrails / rails | 3.0.2-pre | 3.0.2-pre.x |
| rubyonrails / rails | 3.0.0 | 3.0.0.x |
| rubyonrails / rails | 3.0.10-rc1 | 3.0.10-rc1.x |
| rubyonrails / rails | 3.0.10 | 3.0.10.x |
| rubyonrails / rails | 3.0.12-rc1 | 3.0.12-rc1.x |
| rubyonrails / rails | 3.0.12 | 3.0.12.x |
| rubyonrails / rails | 3.0.13-rc1 | 3.0.13-rc1.x |
| rubyonrails / rails | 3.0.13 | 3.0.13.x |
| rubyonrails / rails | 3.0.1 | 3.0.1.x |
| rubyonrails / rails | 3.0.2 | 3.0.2.x |
| rubyonrails / rails | 3.0.3 | 3.0.3.x |
| rubyonrails / rails | 3.0.11 | 3.0.11.x |
| rubyonrails / rails | 3.0.14 | 3.0.14.x |
| rubyonrails / rails | 3.0.16 | 3.0.16.x |
| rubyonrails / rails | 3.0.17 | 3.0.17.x |
| rubyonrails / rails | 3.0.18 | 3.0.18.x |
| rubyonrails / rails | 3.0.19 | 3.0.19.x |
| rubyonrails / rails | 3.0.4-rc1 | 3.0.4-rc1.x |
| rubyonrails / rails | 3.0.5 | 3.0.5.x |
| rubyonrails / rails | 3.0.5-rc1 | 3.0.5-rc1.x |
| rubyonrails / rails | 3.0.6-rc1 | 3.0.6-rc1.x |
| rubyonrails / rails | 3.0.6-rc2 | 3.0.6-rc2.x |
| rubyonrails / rails | 3.0.6 | 3.0.6.x |
| rubyonrails / rails | 3.0.7-rc1 | 3.0.7-rc1.x |
| rubyonrails / rails | 3.0.7-rc2 | 3.0.7-rc2.x |
| rubyonrails / rails | 3.0.7 | 3.0.7.x |
| rubyonrails / rails | 3.0.8-rc1 | 3.0.8-rc1.x |
| rubyonrails / rails | 3.0.8-rc2 | 3.0.8-rc2.x |
| rubyonrails / rails | 3.0.8-rc3 | 3.0.8-rc3.x |
| rubyonrails / rails | 3.0.8-rc4 | 3.0.8-rc4.x |
| rubyonrails / rails | 3.0.8 | 3.0.8.x |
| rubyonrails / rails | 3.0.9-rc1 | 3.0.9-rc1.x |
| rubyonrails / rails | 3.0.9-rc2 | 3.0.9-rc2.x |
| rubyonrails / rails | 3.0.9-rc3 | 3.0.9-rc3.x |
| rubyonrails / rails | 3.0.9-rc4 | 3.0.9-rc4.x |
| rubyonrails / rails | 3.0.9 | 3.0.9.x |
| rubyonrails / rails | 3.0.9-rc5 | 3.0.9-rc5.x |
activesupport
|
2.3.2 | 2.3.16 |
|
activesupport
|
3.0.0 | 3.0.20 |
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2013-0201.html
- http://rhn.redhat.com/errata/RHSA-2013-0202.html
- http://rhn.redhat.com/errata/RHSA-2013-0203.html
- http://support.apple.com/kb/HT5784
- http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
- http://www.debian.org/security/2013/dsa-2613
- http://www.kb.cert.org/vuls/id/628463
- https://access.redhat.com/errata/RHSA-2013:0201
- https://access.redhat.com/errata/RHSA-2013:0202
- https://access.redhat.com/errata/RHSA-2013:0203
- https://access.redhat.com/security/cve/CVE-2013-0333
- https://bugzilla.redhat.com/show_bug.cgi?id=903440
- https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
- https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain
- https://puppet.com/security/cve/cve-2013-0333