Executive Summary
Summary | |
---|---|
Title | rails security update |
Informations | |||
---|---|---|---|
Name | DSA-2613 | First vendor Publication | 2013-01-29 |
Vendor | Debian | Last vendor Modification | 2013-01-29 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Lawrence Pit discovered that Ruby on Rails, a web development framenwork, is vulnerable to a flaw in the parsing of JSON to YAML. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML. The vulnerability has been addressed by removing the YAML backend and adding the OkJson backend. For the stable distribution (squeeze), this problem has been fixed in version 2.3.5-1.2+squeeze6. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.3.14-6 of the ruby-activesupport-2.3 package. The 3.2 version of rails as found in Debian wheezy and sid is not affected by the problem. We recommend that you upgrade your rails packages. |
Original Source
Url : http://www.debian.org/security/2013/dsa-2613 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18384 | |||
Oval ID: | oval:org.mitre.oval:def:18384 | ||
Title: | DSA-2613-1 rails - insufficient input validation | ||
Description: | Lawrence Pit discovered that Ruby on Rails, a web development framework, is vulnerable to a flaw in the parsing of JSON to YAML. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2613-1 CVE-2013-0333 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | rails |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Rails JSON to YAML parsing deserialization attempt RuleID : 25552 - Revision : 4 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-28.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-106.nasl - Type : ACT_GATHER_INFO |
2013-06-05 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2013-002.nasl - Type : ACT_GATHER_INFO |
2013-03-15 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2013-001.nasl - Type : ACT_GATHER_INFO |
2013-02-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-1710.nasl - Type : ACT_GATHER_INFO |
2013-02-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-1745.nasl - Type : ACT_GATHER_INFO |
2013-02-05 | Name : The remote host is missing an update for OS X Server that fixes two security ... File : macosx_server_2_2_1.nasl - Type : ACT_GATHER_INFO |
2013-01-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2613.nasl - Type : ACT_GATHER_INFO |
2013-01-29 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-0201.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:31:37 |
|
2013-01-30 21:19:55 |
|
2013-01-30 17:19:58 |
|
2013-01-30 13:26:22 |
|
2013-01-30 09:19:13 |
|