Contents

--- 
gem: activesupport
framework: rails
cve: 2013-0333
osvdb: 89594
url: https://nvd.nist.gov/vuln/detail/CVE-2013-0333
title:
  Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
  Execution 
date: 2013-01-28

description: |
  Ruby on Rails contains a flaw in the JSON parser. Rails supports multiple
  parsing backends, one of which involves transforming JSON into YAML via the
  YAML parser. With a specially crafted payload, an attacker can subvert the
  backend into decoding a subset of YAML. This may allow a remote attacker to
  bypass restrictions, allowing them to bypass authentication systems, inject
  arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on
  a Rails application.

cvss_v2: 9.3

patched_versions: 
  - ~> 2.3.16
  - ">= 3.0.20"

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
bundler-audit-0.7.0.1	data/ruby-advisory-db/gems/activesupport/CVE-2013-0333.yml