On January 8, 2013, several critical security vulnerabilities in Ruby on Rails were disclosed. The most severe (CVE-2013-0156) allows the execution of arbitrary code on the server.
Affected Versions
All versions of Ruby on Rails are affected:
- Rails 3.x
- Rails 2.x
- Including older, unsupported versions
Severity of the Vulnerability
The security vulnerability is rated as extremely critical. It allows:
- Remote Code Execution (execution of arbitrary code)
- SQL Injection
- Denial of Service
Immediate Actions
Update Ruby on Rails immediately to one of the following patched versions:
- Rails 3.2.11
- Rails 3.1.10
- Rails 3.0.19
- Rails 2.3.15
Managed Server Customers
For Managed Server customers with Rails applications, we have already reached out to coordinate the update. If you have not yet received a notification, please contact us at info@ingate.de.
