lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Cloudforms Cloudengine
  • 1
Redhat
  • Openshift
Rhel Sam
  • 1.1
Rubyonrails
  • Rails
  • Ruby On Rails

Configuration 1 [-]

OR cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*
Package CPE Advisory Released Date
CloudForms for RHEL 6
katello-0:1.1.12.1-1.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2013:0203 2013-01-29T00:00:00Z
rubygem-activesupport-1:3.0.10-9.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2013:0203 2013-01-29T00:00:00Z
Red Hat Subscription Asset Manager 1.1
rubygem-activesupport-1:3.0.10-7.el6cf cpe:/a:rhel_sam:1.1::el6 RHSA-2013:0201 2013-01-28T00:00:00Z
RHEL 6 Version of OpenShift Enterprise
rubygem-activesupport-1:3.0.13-4.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0202 2013-01-28T00:00:00Z
References
Link Providers
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0201.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0202.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0203.html cve-icon cve-icon
http://support.apple.com/kb/HT5784 cve-icon cve-icon
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/ cve-icon cve-icon
http://www.debian.org/security/2013/dsa-2613 cve-icon cve-icon
http://www.kb.cert.org/vuls/id/628463 cve-icon cve-icon
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo cve-icon
https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2013-0333 cve-icon
https://puppet.com/security/cve/cve-2013-0333 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2013-0333 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-01-30T11:00:00

Updated: 2024-08-06T14:25:09.069Z

Reserved: 2012-12-06T00:00:00

Link: CVE-2013-0333

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2013-01-30T12:00:08.930

Modified: 2023-02-13T04:41:09.367

Link: CVE-2013-0333

cve-icon Redhat

Severity : Critical

Publid Date: 2013-01-28T00:00:00Z

Links: CVE-2013-0333 - Bugzilla