High risk Ruby on Rails vulnerability

Most users tend to run Ruby on Rails 3.2 these days, but some still run Rails 3.0 or 2.3.
Those who do can not update their application to run Rails 3.2 and need to run Rails 3.0 or 2.3 are strongly advised to update their Rails to 3.0.20 or 2.3.16.

To quote the authors of rails;
“I’d like to announce that 3.0.20, and 2.3.16 have been released. These releases contain one extremely critical security fix so please update IMMEDIATELY.”

– ——
The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing
backends. One of the backends involves transforming the JSON into
YAML, and passing that through the YAML parser. Using a specially
crafted payload attackers can trick the backend into decoding a subset
of YAML. ”

More information: