Ruby on Rails up to 3.0 yaml.rb convert_json_to_yaml sql injection

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
9.4$0-$5k0.00

Summaryinfo

A vulnerability classified as critical was found in Ruby on Rails up to 3.0. This affects the function convert_json_to_yaml in the library lib/active_support/json/backends/yaml.rb. Executing a manipulation can lead to sql injection. The identification of this vulnerability is CVE-2013-0333. The attack may be launched remotely. Furthermore, there is an exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Ruby on Rails up to 3.0 (Programming Language Software). It has been declared as very critical. This vulnerability affects the function convert_json_to_yaml in the library lib/active_support/json/backends/yaml.rb. The manipulation with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

The weakness was shared 01/28/2013 by Lawrence Pit with Mirror42 as confirmed mailinglist post (Website). The advisory is shared for download at groups.google.com. The vendor cooperated in the coordination of the public release. This vulnerability was named CVE-2013-0333 since 12/06/2012. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details and also a public exploit are known. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 12/22/2024). The MITRE ATT&CK project declares the attack technique as T1505.

A public exploit has been developed by Metasploit and been published immediately after the advisory. It is possible to download the exploit at gist.github.com. It is declared as highly functional. The vulnerability scanner Nessus provides a plugin with the ID 64364 (Debian DSA-2613-1 : rails - insufficient input validation), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Debian Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 166172 (SUSE Security Update for Ruby On Rails (openSUSE-SU-2013:0278-1)).

Upgrading to version 3.0.20 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 13033.

The vulnerability is also documented in the databases at X-Force (81549), Exploit-DB (24434), Tenable (64364), OSVDB (89594†) and Secunia (SA51938†). Additional details are provided at pcworld.com. The entries VDB-7309 and VDB-61085 are related to this item. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

Name

Version

License

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 9.8
VulDB Meta Temp Score: 9.4

VulDB Base Score: 9.8
VulDB Temp Score: 9.4
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfo

Class: Sql injection
CWE: CWE-89 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍

Physical: No
Local: No
Remote: Yes

Availability: 🔍
Access: Public
Status: Highly functional
Author: Metasploit
Download: 🔍

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Nessus ID: 64364
Nessus Name: Debian DSA-2613-1 : rails - insufficient input validation
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍

OpenVAS ID: 892613
OpenVAS Name: Debian Security Advisory DSA 2613-1 (rails - insufficient input validation
OpenVAS File: 🔍
OpenVAS Family: 🔍

Qualys ID: 🔍
Qualys Name: 🔍

MetaSploit ID: rails_json_yaml_scanner.rb
MetaSploit Name: Ruby on Rails JSON Processor YAML Deserialization Scanner
MetaSploit File: 🔍

Exploit-DB: 🔍

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍

Upgrade: Ruby on Rails 3.0.20
Suricata ID: 2016305
Suricata Class: 🔍
Suricata Message: 🔍

TippingPoint: 🔍

McAfee IPS: 🔍
McAfee IPS Version: 🔍

ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍

Timelineinfo

12/06/2012 🔍
01/28/2013 +53 days 🔍
01/28/2013 +0 days 🔍
01/28/2013 +0 days 🔍
01/28/2013 +0 days 🔍
01/29/2013 +1 days 🔍
01/29/2013 +0 days 🔍
01/29/2013 +0 days 🔍
01/30/2013 +1 days 🔍
01/31/2013 +1 days 🔍
02/01/2013 +1 days 🔍
02/04/2013 +3 days 🔍
12/22/2024 +4339 days 🔍

Sourcesinfo

Advisory: groups.google.com
Researcher: Lawrence Pit
Organization: Mirror42
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍

CVE: CVE-2013-0333 (🔍)
GCVE (CVE): GCVE-0-2013-0333
GCVE (VulDB): GCVE-100-7504

OVAL: 🔍
IAVM: 🔍

CERT: 🔍
X-Force: 81549
Secunia: 51938 - Ruby on Rails JSON Parser YAML Handling Vulnerability, Highly Critical
OSVDB: 89594
SecurityTracker: 1028052 - Ruby on Rails Input Validation Flaw in JSON Parser Lets Remote Users Bypass Authentication, Inject SQL Commands, Execute Arbitrary Code, and Deny Service
Vulnerability Center: 38280 - Ruby on Rails \x27yaml.rb\x27 Improper Conversion of JSON Data to YAML Allows Remote Code Execution, High

scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍

Entryinfo

Created: 02/01/2013 10:28
Updated: 12/22/2024 19:18
Changes: 02/01/2013 10:28 (101), 04/24/2017 10:18 (8), 05/04/2021 07:44 (3), 12/22/2024 19:18 (15)
Complete: 🔍
Committer:
Cache ID: 216:5CF:103

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!