thr3ads.net - Puppet users - Rails JSON parser vulnerability & Puppet legacy storeconfigs [ security ] [Jan 2013]

If this information is useful, please help other people find it:
Share via:

Matthaus Owens

2013-Jan-30 21:04 UTC

Rails JSON parser vulnerability & Puppet legacy storeconfigs [ security ]

A security vulnerability has been disclosed in Ruby on Rails, assigned
CVE-2013-0333. It affects the 2.3 and 3.0 series of Rails.
The vulnerability in the JSON code for Ruby on Rails allows attackers
to bypass authentication systems, inject arbitrary SQL, inject and
execute arbitrary code, or perform a DoS attack on a Rails
application.

If you currently use Puppet''s ActiveRecord-based storeconfigs, you
will mostly likely want to update your ActiveRecord version or patch
your version to address the risk (or even better, use PuppetDB, a
drop-in replacement: http://docs.puppetlabs.com/puppetdb/).

See the following post for more information on the vulnerability:
https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo

Regards,
Matthaus Owens
Puppet Labs

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-dev?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Puppet users - Jan 2013 - Rails JSON parser vulnerability & Puppet legacy storeconfigs [ security ]

Rails JSON parser vulnerability & Puppet legacy storeconfigs [ security ]