CVE-2013-0277 — Deserialization of Untrusted Data in Project Activerecord

CWE-502 — Deserialization of Untrusted Data9 documents7 sources

Severity

10.0CRITICALNVD

EPSS

6.7%

top 8.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Activerecord Project Activerecord Rubyonrails Ruby ON Rails

Timeline

PublishedFeb 13

Latest updateOct 24

Description

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages4 packages

▶Debianrubyonrails/rails< 2.3.14.1+3

▶NVDrubyonrails/rails33 versions+32

▶NVDrubyonrails/ruby_on_rails3.0.4

▶RubyGemsactiverecord_project/activerecord3.0.0 — 3.1.0+1

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

Active Record contains deserialization of arbitrary YAML↗2017-10-24

▶

GHSA

Active Record contains deserialization of arbitrary YAML↗2017-10-24

▶

OSV

CVE-2013-0277: ActiveRecord in Ruby on Rails before 2↗2013-02-13

▶

CVEList

CVE-2013-0277: ActiveRecord in Ruby on Rails before 2↗2013-02-13

▶

📋Vendor Advisories

Red Hat

rubygem-activerecord: Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0↗2013-02-11

▶

Debian

CVE-2013-0277: rails - ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote a...↗2013

▶

💬Community

Bugzilla

CVE-2013-0277 rubygem-activerecord: Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [fedora-all]↗2013-04-07

▶

Bugzilla

CVE-2013-0277 rubygem-activerecord: Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0↗2013-02-10

▶