Lucene search

GitHub Advisory DatabaseGHSA-FHJ9-CJJH-27VM

HistoryOct 24, 2017 - 6:33 p.m.

Active Record contains deserialization of arbitrary YAML

2017-10-2418:33:37

CWE-502

GitHub Advisory Database

github.com

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.099 Low

EPSS

Percentile

94.9%

JSON

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.

Affected configurations

Vulners

Node

activerecord_projectactiverecordRange<3.1.0ruby

activerecord_projectactiverecordRange<2.3.17ruby

CPENameOperatorVersion
activerecordlt3.1.0
activerecordlt2.3.17

CPE	Name	Operator	Version
	activerecord	lt	3.1.0
	activerecord	lt	2.3.17

References

lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

securitytracker.com/id?1028109

support.apple.com/kb/HT5784

weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/

www.debian.org/security/2013/dsa-2620

www.openwall.com/lists/oss-security/2013/02/11/6

github.com/advisories/GHSA-fhj9-cjjh-27vm

github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0277.yml

groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain

nvd.nist.gov/vuln/detail/CVE-2013-0277

puppet.com/security/cve/cve-2013-0277

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.099 Low

EPSS

Percentile

94.9%

JSON

Related for GHSA-FHJ9-CJJH-27VM