Vulnerabilities > CVE-2013-0277 - Remote Code Execution vulnerability in Ruby on Rails
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2620.NASL description Two vulnerabilities were discovered in Ruby on Rails, a Ruby framework for web application development. - CVE-2013-0276 The blacklist provided by the attr_protected method could be bypassed with crafted requests, having an application-specific impact. - CVE-2013-0277 In some applications, the +serialize+ helper in ActiveRecord could be tricked into deserializing arbitrary YAML data, possibly leading to remote code execution. last seen 2020-03-17 modified 2013-02-13 plugin id 64591 published 2013-02-13 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64591 title Debian DSA-2620-1 : rails - several vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2013-2351.NASL description Fix for CVE-2013-0277. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-02-21 plugin id 64734 published 2013-02-21 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64734 title Fedora 17 : rubygem-activerecord-3.0.11-6.fc17 (2013-2351) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201412-28.NASL description The remote host is affected by the vulnerability described in GLSA-201412-28 (Ruby on Rails: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code or cause a Denial of Service condition. Furthermore, a remote attacker may be able to execute arbitrary SQL commands, change parameter names for form inputs and make changes to arbitrary records in the system, bypass intended access restrictions, render arbitrary views, inject arbitrary web script or HTML, or conduct cross-site request forgery (CSRF) attacks. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 79981 published 2014-12-15 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79981 title GLSA-201412-28 : Ruby on Rails: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-152.NASL description The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails 3.2 stack was updated to 3.2.12. The Ruby Rack was updated to 1.1.6. The Ruby Rack was updated to 1.2.8. The Ruby Rack was updated to 1.3.10. The Ruby Rack was updated to 1.4.5. The updates fix various security issues and bugs. - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277 : - update to version 3.2.12 (bnc#803336) CVE-2013-0276 : - update to version 3.2.12 (bnc#803336) CVE-2013-0276: issue with attr_protected where malformed input could circumvent protection - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277 : - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277 : - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to version 3.2.12 (bnc#803336) CVE-2013-0276 : - Quote numeric values being compared to non-numeric columns. Otherwise, in some database, the string column values will be coerced to a numeric allowing 0, 0.0 or false to match any string starting with a non-digit. - update to 1.1.6 (bnc#802794) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - update to 1.2.8 (bnc#802794) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - update to 1.3.10 (bnc#802794) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - ruby rack update to 1.4.5 (bnc#802794 bnc#802795) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - Fix CVE-2013-0262, symlink path traversal in Rack::File - ruby rack update to 1.4.4 (bnc#798452) - [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings (CVE-2013-0184) - ruby rack changes from 1.4.3 - Security: Prevent unbounded reads in large multipart boundaries (CVE-2013-0183) - ruby rack changes from 1.4.2 (CVE-2012-6109) - Add warnings when users do not provide a session secret - Fix parsing performance for unquoted filenames - Updated URI backports - Fix URI backport version matching, and silence constant warnings - Correct parameter parsing with empty values - Correct rackup last seen 2020-06-05 modified 2014-06-13 plugin id 74900 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74900 title openSUSE Security Update : RubyOnRails (openSUSE-SU-2013:0338-1) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2013-002.NASL description The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-002 applied. This update contains numerous security-related fixes for the following components : - CoreMedia Playback (10.7 only) - Directory Service (10.6 only) - OpenSSL - QuickDraw Manager - QuickTime - Ruby (10.6 only) - SMB (10.7 only) last seen 2020-06-01 modified 2020-06-02 plugin id 66809 published 2013-06-05 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66809 title Mac OS X Multiple Vulnerabilities (Security Update 2013-002)
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 57898 CVE(CAN) ID: CVE-2013-0277 Ruby on Rails简称RoR或Rails,是一个使用Ruby语言写的开源Web应用框架,它是严格按照MVC结构开发的。 Ruby on Rails 3.x、2.3.x中的活动记录允许远程攻击者通过特制的序列化属性造成拒绝服务或执行任意代码,这些特制的属性可造成+serialize+ helper反序列化任意YAML。 0 Ruby on Rails 3.2.x Ruby on Rails 3.1.x Ruby on Rails 2.3.x 厂商补丁: Ruby on Rails ------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.rubyonrails.com/ |
| id | SSV:60663 |
| last seen | 2017-11-19 |
| modified | 2013-03-07 |
| published | 2013-03-07 |
| reporter | Root |
| title | Ruby on Rails 远程代码执行漏洞(CVE-2013-0277) |
References
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://secunia.com/advisories/52112
- http://securitytracker.com/id?1028109
- http://support.apple.com/kb/HT5784
- http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
- http://www.debian.org/security/2013/dsa-2620
- http://www.openwall.com/lists/oss-security/2013/02/11/6
- http://www.osvdb.org/90073
- https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain
- https://puppet.com/security/cve/cve-2013-0277