Ruby on Rails Security Fix

Monday, February 18, 2013 @ 04:02 PM gHale

Security fixes are the order of the day for the developers of Ruby on Rails as they released versions 3.2.12, 3.1.11 and 2.3.17. Ruby on Rails 3.2.12 and 3.1.11 fix one security issue, while 2.3.17 addresses two additional vulnerabilities.

The first vulnerability (CVE-2013-0276) affects the attr_protected method in ActiveRecord and an attacker could exploit it to circumvent the protection and alter records by using a specially crafted request.

Ruby on Rails Vulnerability Part III
Ruby on Rails Bugs Patched, Part II
Ruby on Rails SQL Injection Hole
Ruby on Rails Patches Again

The second issue refers to a serialized attributes YAML issue that an attacker could leverage for a denial-of-service (DoS) attack and even to remotely execute arbitrary code.

Finally, the latest updates address a DoS and unsafe object creation vulnerability in JSON.

Users should update their installations as soon as possible to avoid incidents, the developer said.

Ruby on Rails is available for download here.

Leave a Reply

You must be logged in to post a comment.