Another Rails JSON security bug 30 Jan 13

Another serious vulnerability in Rails has been discovered. Similarly to the last one, it concerns the parsing of JSON request bodies and can result in an attacker bypassing code, such as authentication systems, and may also be used to run arbitrary Ruby code and even execute system commands.

This new vulnerability does not affect Rails 3.1 and 3.2. Applications using Rails 3.0 and Rails 2.3 are vulnerable. We do not have any details about releases prior to 2.3, but these should be assumed to be vulnerable as well.

The rubyonrails.org blog post has more details of this newly-discovered vulnerability – CVE-2013-0333. Rails 2.3 and 3.0 apps need upgrading (or the workaround implemented) to fix the new JSON vulnerabilites.

Please note that this issues is separate to the SQL injection vulnerability and XML+JSON vulnerabilities. Even if you have already taken action against these earlier bugs, further work is now needed to protect against this new one.

We urge all customers to upgrade as soon as possible.