Ruby on Rails developers released four new versions of the popular web app framework complete with fixes for a series of vulnerabilities that could have lead to denial of service attacks and XSS injections.
Four vulnerabilities end up fixed in versions 3.2.13, 3.1.12 and 2.3.18 of Rails, according to a post to the company’s blog. “All versions are impacted by one or more of these security issues,” the post said.
A denial of service (DoS) vulnerability (CVE-2013-1854) in Rails’ ActiveRecord function, two cross-site scripting vulnerabilities, one in the sanitize helper (CVE-2013-1857) and one in the sanitize_css method in Action Pack (CVE-2013-1855) ended up patched.
An additional XML parsing vulnerability in the JDOM backend of ActiveSupport could have also allowed an attacker to perform a denial-of-service attack or gain access to files stored on the application server when using JRuby (CVE-2013-1856) according to one of the warnings.
Ruby on Rails contributor Aaron Patterson dives much deeper into the vulnerabilities – and potential workarounds – while users can click here for the updates, which they should apply as soon as possible.
Fixes are not new to the organization, as they updated multiple issues issues in Ruby on Rails around this time last month, including a YAML flaw in ActiveRecord that lead to remote code execution.