DOS, XSS and Data Injection Flaws Fixed in Rails 4.0.3, 3.2.17 and 4.1.0.beta2

Vulnerabilities fixed in Ruby on Rails 4.0.3, 3.2.17 and 4.1.0.beta2

Ruby on Rails 4.0.3, 3.2.17 and 4.1.0.beta2 have been released. The latest releases address a total of three vulnerabilities.

According to the developers, the vulnerabilities fixed in 3.2.17 have the following identifiers: CVE-2014-0081 and CVE-2014-0082. In Ruby 4.0.3, the issues with the CVE-2014-0080 and CVE-2014-0081 identifiers have been addressed.

In 4.1.0.beta2, the list of security fixes includes CVE-2014-0080 and CVE-2014-0081.

CVE-2014-0080 is a data injection vulnerability impacting Active Record. The flaw can be exploited to add data to array columns in PostgreSQL databases.

CVE-2014-0081 refers to a cross-site scripting (XSS) vulnerability in the “number_to_currency,” “number_to_percentage” and “number_to_human” helpers.

Finally, CVE-2014-0082 is a denial-of-service (DOS) issue in Action View. More precisely, the bug impacts the text rendering component in Action View.

Users are advised to update their installations as soon as possible. You can download Ruby on Rails, the latest versions, from Softpedia.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s