CVE-2013-0277

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.

Published Bysecalert@redhat.com

Published DateFeb 13, 2013, 01:55

Affected Versions(2)

activerecord(RubyGems)

Introduced0

Fixed2.3.17

LimitN/A

activerecord(RubyGems)

Introduced3.0.0

Fixed3.1.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
activerecord(RubyGems)	0	2.3.17	N/A
activerecord(RubyGems)	3.0.0	3.1.0	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:C/I:C/A:C

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

COMPLETE

Integrity (I)

COMPLETE

Availability (A)

COMPLETE

References

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:C/I:C/A:C

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

COMPLETE

Integrity (I)

COMPLETE

Availability (A)

COMPLETE