Connect with us

Hi, what are you looking for?



Ruby on Rails Releases ‘Extremely Critical’ Security Fixes – Exploit Code En Route

Ruby on Rails maintainers have released another critical update to the popular Web application framework to address some serious issues.

Ruby on Rails maintainers have released another critical update to the popular Web application framework to address some serious issues.

The latest versions, 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been updated with “two extremely critical security fixes” and should be applied immediately, according to a post on Jan. 8. The “multiple weaknesses” in the parameter parsing code for Ruby on Rails allow attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a denial-of-service attack on a Rails application, according to the advisory posted on the Ruby on Rails Security list on Google Groups.

Ruby on Rails ExploitsThe CVE-2013-0156 flaw involves how Ruby on Rails parses some parameters and how certain strings are being converted into unsuitable types, according to the advisory. Since portions of the vulnerability have been disclosed publicly, users running an affected release should either upgrade or implement one of the recommended workarounds, such as disabling XML or disabling YAML and Symbol type conversion from the Rails XML parser. All versions after 2.0 appear to be affected.

“This vulnerability is critical and given the popularity of Ruby on Rails, the impact is huge,” Claudio Guarnieri, a security researcher at Rapid7, told SecurityWeek.

Ruby on Rails is an open-source Web framework intended to make it easier and simpler to design and deploy Web applications. Currently used by more than 240,000 websites, according to usage statistics on, it appears the vulnerability was introduced in version 2.0 and has been present for the past six years.

“From a technical standpoint it’s a very interesting and challenging vulnerability that can be exploited in several different ways with very dangerous outcomes, from SQL injection to code execution,” Guarnieri said. He said organizations using Ruby on Rails for their Web applications should disable XML parsing.

There’s no patch available for version 2.0.2, but administrators running that version of Rails can add a line at the bottom of a configuration file to fix the issue, according to a comment on the post announcing the upgrade. Older versions such as 1.1.6 are not affected.

The latest update comes a few days after the Ruby on Rails maintainers released a fix for an SQL injection vulnerability (CVE-2012-5664) in the framework. The flaw was in the way dynamic finders in Active Record extract options from method parameters, according to the earlier advisory. Considering the framework’s popularity, the vulnerability received a lot of attention, but many security experts downplayed the significance, saying the flaw would not affect many organizations.

Advertisement. Scroll to continue reading.

“The SQL flaw identified in CVE-2012-5664 is a non-issue for most organizations since it requires an exposed secret token or a non-standard code path to become exploitable,” HD Moore, CSO and Chief Architect of Rapid7, told SecurityWeek.

In contrast, the issues highlighted in CVE-2013-0156 affect all Rails applications in their default configuration and one of the results is the ability to trigger the same sort of SQL injection issue without requiring access to the secret token, Moore said. Penetration testing framework Metasploit has already updated its application and is working on a testing module for the vulnerability.

“The YAML deserialization issue covered in CVE-2013- 0156 can lead to remote code execution as well, which is a much more significant impact than SQL injection,” Moore said.

While there is a lot of information available about vulnerability, the researcher who publicized the issue stopped short of releasing a working proof-of-concept. A quick review of common Ruby on Rails classes didn’t turn up any obvious paths to exploit the issues, but it’s possible there is more than one attack path available, Moore noted on the Metasploit blog.

With the vulnerability public, there are concerns an exploit is on the way. “The risk of compromise will escalate in the next days with weaponized exploits likely coming out,” Guarnieri predicted.

Ruby on Rails also closed a denial of service bug in 3.2.11, 3.1.10, 3.0.19, or 2.3.15. This flaw is triggered when Active Record is used when JSON parameters are being parsed. While attackers won’t be able to insert arbitrary values, they can “issue unexpected database queries,” the advisory said. This issue affects version 3.x of Rails.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.