CVE-2013-0277: Active Record contains deserialization of arbitrary YAML
10
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.91104%
CWE
Published
10/24/2017
Updated
11/4/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:C/I:C/A:C
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
activerecord | rubygems | < 2.3.17 | 2.3.17 |
activerecord | rubygems | >= 3.0.0, < 3.1.0 | 3.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from ActiveRecord's handling of serialized attributes using YAML
. The YAMLColumn
coder's load()
method directly uses YAML.load
, which by default allows deserialization of any class. When combined with mass assignment to serialized attributes (common in Rails
models using serialize
), this permits remote code execution via crafted YAML
payloads. The advisory explicitly references the serialize
helper's insecure deserialization behavior, and historical Rails
security patches for similar issues target the YAMLColumn
implementation.