Rubyonrails : Security Vulnerabilities, CVEs, Published In 2013 (Code Execution)
CVE-2013-0333
Public exploit
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
Max CVSS
7.5
EPSS Score
97.39%
Published
2013-01-30
Updated
2023-02-13
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
Max CVSS
10.0
EPSS Score
9.89%
Published
2013-02-13
Updated
2019-08-08
CVE-2013-0156
Public exploit
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Max CVSS
7.5
EPSS Score
97.29%
Published
2013-01-13
Updated
2023-02-13
3 vulnerabilities found