Overview

CVE-2013-0269 (Rails JSON Unsafe Object Creation Vulnerability)

Posted Februrary 13, 2013

There is a vulnerability in the JSON rubygem that allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects. More information can be found in the following post:

• https://groups.google.com/forum/#!topic/rubyonrails-security/4_YvCpLzL58

Status

• Hotfixes available for Puppet Enterprise 1.2.6 and 2.7.1

Hotfixes

• http://puppetlabs.com/security/cve/cve-2013-0269/hotfixes/