Sha256: 60a1b33067d6b548aaa05052f2f3ad57465d36d0cf18c9fe0037bbe9411b1f30

Contents?: true

Size: 669 Bytes

Versions: 5

Compression:

Stored size: 669 Bytes

Contents

--- 
gem: activerecord
framework: rails
cve: 2013-0277
osvdb: 90073
url: http://osvdb.org/show/osvdb/90073
title: |
  Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
  Code Execution 
date: 2013-02-11

description: |
  Ruby on Rails contains a flaw in the +serialize+ helper in the Active Record.
  The issue is triggered when the system is configured to allow users to
  directly provide values to be serialized and deserialized using YAML.
  With a specially crafted YAML attribute, a remote attacker can deserialize
  arbitrary YAML and execute code associated with it.

cvss_v2: 10.0

patched_versions: 
  - "~> 2.3.17"
  - ">= 3.1.0"

Version data entries

5 entries across 5 versions & 2 rubygems

Version Path
bundler-budit-0.6.2 data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml
bundler-audit-0.6.1 data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml
bundler-audit-0.6.0 data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml
bundler-audit-0.5.0 data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml