Two new (one "critical") Ruby on Rails vulnerabilities
Two new (one "critical") Ruby on Rails vulnerabilities
[Security] Posted Jan 9, 2013 13:58 UTC (Wed) by jake
Two new vulnerabilities (CVE-2013-0156, CVE-2013-0155) have been reported in the Ruby on Rails web framework. CVE-2013-0156 is considered a critical vulnerability that should be patched or worked around immediately ("allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application
"), while CVE-2013-0155 can alter some SQL queries when JSON parameter parsing is used. They are different than the SQL injection we reported on January 3. More information on -0156 can be found in this analysis.