Active Record contains deserialization of arbitrary YAML
        
  Critical severity
        
          GitHub Reviewed
      
        Published
          Oct 24, 2017 
          to the GitHub Advisory Database
          •
          Updated Nov 4, 2023 
      
  
Package
Affected versions
< 2.3.17
      >= 3.0.0, < 3.1.0
  Patched versions
2.3.17
      3.1.0
  Description
        Published by the National Vulnerability Database
      Feb 13, 2013 
    
  
        Published to the GitHub Advisory Database
      Oct 24, 2017 
    
  
        Reviewed
      Jun 16, 2020 
    
  
        Last updated
      Nov 4, 2023 
    
  
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
References