10

CVSS Score

Basic Information

CVE ID

CVE-2013-0277

GHSA ID

GHSA-fhj9-cjjh-27vm

EPSS Score

0.91104%

CWE

CWE-502

Published

10/24/2017

Updated

11/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-0277

CVE-2013-0277: Active Record contains deserialization of arbitrary YAML

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.

(GitHub Advisory)

10

CVSS Score

Basic Information

CVE ID

CVE-2013-0277

GHSA ID

GHSA-fhj9-cjjh-27vm

EPSS Score

0.91104%

CWE

CWE-502

Published

10/24/2017

Updated

11/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
activerecord	rubygems	< 2.3.17	2.3.17
activerecord	rubygems	>= 3.0.0, < 3.1.0	3.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from ActiveRecord's handling of serialized attributes using YAML. The YAMLColumn coder's load() method directly uses YAML.load, which by default allows deserialization of any class. When combined with mass assignment to serialized attributes (common in Rails models using serialize), this permits remote code execution via crafted YAML payloads. The advisory explicitly references the serialize helper's insecure deserialization behavior, and historical Rails security patches for similar issues target the YAMLColumn implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**tiv*R**or* in Ru*y on R*ils ***or* *.*.** *n* *.x ***or* *.*.* *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** or *x**ut* *r*itr*ry *o** vi* *r**t** s*ri*liz** *ttri*ut*s t**t **us* t** +s*ri*liz*+ **lp*r to **s*ri*liz* *r*itr*ry Y*ML.

Reasoning

T** vuln*r**ility st*ms *rom **tiv*R**or*'s **n*lin* o* s*ri*liz** *ttri*ut*s usin* `Y*ML`. T** `Y*ML*olumn` *o**r's `lo**()` m*t*o* *ir**tly us*s `Y*ML.lo**`, w*i** *y ****ult *llows **s*ri*liz*tion o* *ny *l*ss. W**n *om*in** wit* m*ss *ssi*nm*nt t

10

Basic Information

Concerned about an active attack path?

CVE-2013-0277: Active Record contains deserialization of arbitrary YAML

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI