Your one-stop web resource providing safety and security information to manufacturers

Ruby on Rails developers released four new versions of the popular web app framework complete with fixes for a series of vulnerabilities that could have lead to denial of service attacks and XSS injections.

Four vulnerabilities end up fixed in versions 3.2.13, 3.1.12 and 2.3.18 of Rails, according to a post to the company’s blog. “All versions are impacted by one or more of these security issues,” the post said.

Third Party Bug Fixed for Wonderware
Fix Ready for Gateway Server
Tridium Mitigates Vulnerability
SAS: Zero Day Lives On

A denial of service (DoS) vulnerability (CVE-2013-1854) in Rails’ ActiveRecord function, two cross-site scripting vulnerabilities, one in the sanitize helper (CVE-2013-1857) and one in the sanitize_css method in Action Pack (CVE-2013-1855) ended up patched.

An additional XML parsing vulnerability in the JDOM backend of ActiveSupport could have also allowed an attacker to perform a denial-of-service attack or gain access to files stored on the application server when using JRuby (CVE-2013-1856) according to one of the warnings.

Cyber Security

The XSS vulnerabilities could allow an attacker to embed a tag containing a URL that executes arbitrary JavaScript code.

Ruby on Rails contributor Aaron Patterson dives much deeper into the vulnerabilities – and potential workarounds – while users can click here for the updates, which they should apply as soon as possible.

Fixes are not new to the organization, as they updated multiple issues issues in Ruby on Rails around this time last month, including a YAML flaw in ActiveRecord that lead to remote code execution.

Pin It on Pinterest

Share This