A vulnerability has been reported in the json gem for Ruby, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an input validation error within the gem, which allows creating additions when parsing JSON documents. This can be exploited to create arbitrary Ruby symbols and e.g. cause a Denial of Service or execute arbitrary SQL code.
The vulnerability is reported in versions prior to 1.7.7, 1.6.8, and 1.5.5.
Solution: Update to version 1.7.7, 1.6.8, or 1.5.5.
Provided and/or discovered by: Thomas Hollstegge, Zweitag.
The vendor also credits Ben Murphy.
Original Advisory: Ruby on Rails:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org