Miggo Logo

CVE-2013-0277: Active Record contains deserialization of arbitrary YAML

10

CVSS Score

Basic Information

EPSS Score
0.91104%
Published
10/24/2017
Updated
11/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:C/I:C/A:C
Package NameEcosystemVulnerable VersionsFirst Patched Version
activerecordrubygems< 2.3.172.3.17
activerecordrubygems>= 3.0.0, < 3.1.03.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from ActiveRecord's handling of serialized attributes using YAML. The YAMLColumn coder's load() method directly uses YAML.load, which by default allows deserialization of any class. When combined with mass assignment to serialized attributes (common in Rails models using serialize), this permits remote code execution via crafted YAML payloads. The advisory explicitly references the serialize helper's insecure deserialization behavior, and historical Rails security patches for similar issues target the YAMLColumn implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**tiv*R**or* in Ru*y on R*ils ***or* *.*.** *n* *.x ***or* *.*.* *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** or *x**ut* *r*itr*ry *o** vi* *r**t** s*ri*liz** *ttri*ut*s t**t **us* t** +s*ri*liz*+ **lp*r to **s*ri*liz* *r*itr*ry Y*ML.

Reasoning

T** vuln*r**ility st*ms *rom **tiv*R**or*'s **n*lin* o* s*ri*liz** *ttri*ut*s usin* `Y*ML`. T** `Y*ML*olumn` *o**r's `lo**()` m*t*o* *ir**tly us*s `Y*ML.lo**`, w*i** *y ****ult *llows **s*ri*liz*tion o* *ny *l*ss. W**n *om*in** wit* m*ss *ssi*nm*nt t