Ruby on Rails Fixes Vulnerabilities

Thursday, February 20, 2014 @ 05:02 PM gHale


Ruby on Rails fixed three vulnerabilities with their new releases 4.0.3, 3.2.17 and 4.1.0.beta2 that take care of a data injection, cross-site scripting and denial of service issues.

The developers said the vulnerabilities fixed in 3.2.17 have the following identifiers: CVE-2014-0081 and CVE-2014-0082. In Ruby 4.0.3, developers fixed the issues with the CVE-2014-0080 and CVE-2014-0081.

RELATED STORIES
Spoofing Bug Infests Uploader Software
GitHub Hit by DDoS Attack, Again
Top 10 DDoS Attack Trends
More Malware Working in Cloud

In 4.1.0.beta2, the list of security fixes includes CVE-2014-0080 and CVE-2014-0081.

CVE-2014-0080 is a data injection vulnerability impacting Active Record. The flaw can end up exploited to add data to array columns in PostgreSQL databases.

CVE-2014-0081 refers to a cross-site scripting (XSS) vulnerability in the “number_to_currency,” “number_to_percentage” and “number_to_human” helpers.

CVE-2014-0082 is a denial-of-service (DoS) issue in Action View. The issues has an impact on the text rendering component in Action View.

Users should update their installations as soon as possible.



Leave a Reply

You must be logged in to post a comment.