CVE-2013-0277 (Rails Arbitrary YAML deserialization)

  • Posted Februrary 13, 2013

  • There is a vulnerability in the serialized attribute handling code in Ruby on Rails 2.3 and 3.0, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities.

    More information can be found in the following post:


    • Hotfixes available for Puppet Enterprise 1.2.6 and 2.7.1