Ruby on Rails Multiple Vulnerabilities
Last Update Date:
10 Jan 2013 10:42
Release Date:
10 Jan 2013
4386
Views
RISK: High Risk
TYPE: Servers - Internet App Servers
Multiple vulnerabilities have been identified in Ruby on Rails. A remote user can generate unsafe queries, bypass authentication systems, inject SQL commands, inject and execute arbitrary code, and cause denial of service conditions.
- A remote user can supply a specially crafted data to exploit an Active Record validation flaw and JSON parameter parsing bug to potentially issue unexpected database queries with "IS NULL" or empty where clauses.
- The parameter parsing code does not properly cast values from strings to certain data types, which may allow a remote user to compromise a target Rails application.
Impact
- Cross-Site Scripting
- Denial of Service
- Remote Code Execution
- Security Restriction Bypass
System / Technologies affected
- Versions prior to 2.3.15, 3.0.19, 3.1.10, and 3.2.11
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- The vendor has issued a fix (2.3.15, 3.0.19, 3.1.10, and 3.2.11).
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
Vulnerability Identifier
Source
Related Link
Share with