The Ruby on Rails community has been made aware of several critical vulnerability issues in recent weeks. As Mingle is built using Ruby on Rails as its underlying technology, we have been making priority Mingle releases with fixes to these issues regularly available. You can find the latest fixed release on our website.
This post is intended to keep you all up to date on the status of the latest Rails vulnerability issues and whether or not Mingle is affected by them. You will find a list of issues fixed in Mingle as well as a list of issues we are aware of, but not affected by. If you are aware of other issues that are not outlined here, please contact Studios support.
Issues fixed in the latest version of Mingle
- Vulnerability Note VU#628463: Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability (CVE-2013-0333).
- Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156).
- Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
- XSS Vulnerability in the `sanitize` helper of Ruby on Rails (CVE-2013-1857)
Known issues that Mingle is not affected by
- Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)
- Mingle does not use the JSON.parse method from the json gem
- Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 (CVE-2013-0277)
- YAML parsing is disabled when deserializing XML in Mingle
- Circumvention of attr_protected (CVE-2013-0276)
- Mingle does not use 'attr_protected'
- Symbol DoS vulnerability in Active Record [CVE-2013-1854]
- XSS vulnerability in sanitize_css in Action Pack [CVE-2013-1855]
- XML Parsing Vulnerability affecting JRuby users [CVE-2013-1856]
The Mingle Team