Ruby on Rails 3.0.20 and 2.3.16 have been released. Users are advised to update their installations as soon as possible because the new releases address an extremely critical vulnerability.
Ruby on Rails 2.3.x and Ruby on Rails 3.0.x are affected by the security hole.
The vulnerability, present in the JSON code, can be leveraged by hackers to bypass authentication, inject arbitrary SQL commands, execute arbitrary code, and even perform DOS attack against Rails applications.
“The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends. One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML,” reads the advisory.
Ruby on Rails is available for download here