Five New Ruby on Rails Security Alerts

Mikel Lindsaar
April 12, 2013

Five New Ruby on Rails Security Alerts

Today the Rails core team announced 5 security alerts.

Here is a full list with versions affected so you know if your app needs updating.

CVE-2013-6416 XSS Vulnerability in simple_format helper

  • Versions Affected: 4.0.0 & 4.0.1
  • Not affected: Versions prior to 4.0
  • Fixed Versions: 4.0.2

CVE-2013-6417 Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)

  • Versions Affected: All.
  • Not affected: None
  • Fixed Versions: 4.0.2 & 3.2.16

CVE-2013-4491 Reflective XSS Vulnerability in Ruby on Rails

  • Versions Affected: 3.0.6 and all later versions.
  • Not affected: 3.0.5 and earlier 3.0.x versions.
  • Fixed Versions: 4.0.2, 3.2.16.

CVE-2013-6414 Denial of Service Vulnerability in Action View

  • Versions Affected: 3.0.0 and all later versions
  • Not affected: 2.3.x
  • Fixed Versions: 4.0.2, 3.2.16

CVE-2013-6415 XSS Vulnerability in number_to_currency

  • Versions Affected: All.
  • Fixed Versions: 4.0.2, 3.2.16.

If you are able to upgrade your Rails app, going to 3.2.16 or 4.0.2 will apply all the patches you need to handle these security issues.

We are already busy applying the fixes these alerts to all of our Sentinel Ruby on Rails support clients, if you need help with your application, or want to have these sorts of things just taken care of for your Ruby on Rails application, please get in touch.

Mikel Lindsaar reInteractive