GHSA-fhj9-cjjh-27vm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fhj9-cjjh-27vm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-fhj9-cjjh-27vm/GHSA-fhj9-cjjh-27vm.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-fhj9-cjjh-27vm
- Aliases
- Published
- 2017-10-24T18:33:37Z
- Modified
- 2024-12-03T06:02:54.724715Z
- Summary
- Active Record contains deserialization of arbitrary YAML
- Details
-
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
- Database specific
{ "nvd_published_at": "2013-02-13T01:55:05Z", "cwe_ids": [ "CWE-502" ], "severity": "CRITICAL", "github_reviewed_at": "2020-06-16T21:34:43Z", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-0277
- https://github.com/rails/rails/tree/v6.1.4.1/activerecord
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0277.yml
- https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain
- https://puppet.com/security/cve/cve-2013-0277
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://securitytracker.com/id?1028109
- http://support.apple.com/kb/HT5784
- http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released
- http://www.debian.org/security/2013/dsa-2620
- http://www.openwall.com/lists/oss-security/2013/02/11/6
Affected packages
RubyGems / activerecord
Package
- Name
- activerecord
- Purl
- pkg:gem/activerecord
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.17
Affected versions
1.*
1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.5.1
1.6.0
1.7.0
1.8.0
1.9.0
1.9.1
1.10.0
1.10.1
1.11.0
1.11.1
1.12.1
1.12.2
1.13.0
1.13.1
1.13.2
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.15.0
1.15.1
1.15.2
1.15.3
1.15.4
1.15.5
1.15.6
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
2.2.2
2.2.3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8.pre1
2.3.8
2.3.9.pre
2.3.9
2.3.10
2.3.11
2.3.12
2.3.14
2.3.15
2.3.16
RubyGems / activerecord
Package
- Name
- activerecord
- Purl
- pkg:gem/activerecord
Affected versions
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1
3.0.4
3.0.5.rc1
3.0.5
3.0.6.rc1
3.0.6.rc2
3.0.6
3.0.7.rc1
3.0.7.rc2
3.0.7
3.0.8.rc1
3.0.8.rc2
3.0.8.rc4
3.0.8
3.0.9.rc1
3.0.9.rc3
3.0.9.rc4
3.0.9.rc5
3.0.9
3.0.10.rc1
3.0.10
3.0.11
3.0.12.rc1
3.0.12
3.0.13.rc1
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.1.0.beta1
3.1.0.rc1
3.1.0.rc2
3.1.0.rc3
3.1.0.rc4
3.1.0.rc5
3.1.0.rc6
3.1.0.rc8