Arbitrary Code Execution via Serialized Attributes in Ruby on Rails

Arbitrary Code Execution via Serialized Attributes in Ruby on Rails

CVE-2013-0277 · HIGH Severity

AV:N/AC:L/AU:N/C:C/I:C/A:C

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.

Learn more about our Web Application Penetration Testing UK.