Ruby on Rails Steams Critical Security Patch
The popular Ruby on Rails web application development framework that uses Ruby coding language received an “extremely critical security fix” to be installed “immediately”.
Described as a remote code execution vulnerability, the patch fixes a vulnerability in the Rails JSON code that might have enabled authentication bypass in the hands of skilled cyber-criminals. Also patching a vulnerability that could arbitrary injected SQL code to be into an application`s database, the security patch only addressed the 2.3.x, 3.1.x and 3.2.x branches of the framework.
“There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application,” according to the security advisory. “This vulnerability has been assigned the CVE identifier CVE-2013-0333.”
With three documented and patched Ruby on Rails vulnerabilities in less than a month, developers are warned to transition to later builds as Rails` designers cannot guarantee optimal security.
“The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends. One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML,” according to the security advisory. “All users running an affected application should upgrade or use the workaround immediately.”
With Ruby on Rails used to build websites, it`s conceivable that most were susceptible to attacks.
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
October 22, 2021
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals
October 20, 2021