Industry News

Ruby on Rails Steams Critical Security Patch

Ruby on Rails Steams Critical Security Patch

The popular Ruby on Rails web application development framework that uses Ruby coding language received an “extremely critical security fix” to be installed “immediately”.

Described as a remote code execution vulnerability, the patch fixes a vulnerability in the Rails JSON code that might have enabled authentication bypass in the hands of skilled cyber-criminals. Also patching a vulnerability that could arbitrary injected SQL code to be into an application’s database, the security patch only addressed the 2.3.x, 3.1.x and 3.2.x branches of the framework.

Ruby on Rails Steams Critical Security Patch“There is a vulnerability in the JSON  code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application,” according to the security advisory. “This vulnerability has been assigned the CVE identifier CVE-2013-0333.”

With three documented and patched Ruby on Rails vulnerabilities in less than a month, developers are warned to transition to later builds as Rails’ designers cannot guarantee optimal security.

“The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends. One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser.  Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML,” according to the security advisory. “All users running an affected application should upgrade or use the workaround immediately.”

With Ruby on Rails used to build websites, it’s conceivable that most were susceptible to attacks.

About the author


Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.