Critical Rails vulnerability. Again

Another vulnerability (CVE-2013-0333) in Rails allows attackers, bypassing authentication, to run arbitrary code.

Vulnerable versions: 2.3.x, 3.0.x
Safe: 3.1.x, 3.2.x or applications using yajl-ruby
Fixed in versions: 3.0.20 , 2.3.16

Now what happened?

3.0 and 2.3 Rails support multiple backends for parsing JSON. One of the backends involves transforming JSON into YAML via the YAML Parser. An attacker can execute arbitrary code if he transmits a special request with coded YAML (recall CVE-2013-0156 ).

Crutches

If it’s not possible to update the Rails version, you can use JSONGem as a backend by placing the following code in config / initializers / json.rb:
ActiveSupport::JSON.backend = "JSONGem"
If you are still using Ruby 1.8, do not forget to install gem json or json_pure. At 1.9 this is no longer required.
')

PS

However, in the comments to the blog entry Rails already reported some problems. For example, if you have json with single quotes (which is not allowed by the JSON specification), then now there will be problems.