CVE-2013-0155

Ruby on Rails 3.0.x < 3.0.19, 3.1.x < 3.1.10, 3.2.x < 3.2.11 - SQL Query Manipulation via JSON Parameter Handling

Title source: llm
STIX 2.1

Description

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.

References (12)

Core 12
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0155.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2609
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
Third Party Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2013-0155
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
Third Party Advisory x_refsource_confirm
http://support.apple.com/kb/HT5784
Mailing List, Third Party Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
Third Party Advisory, US Government Resource x_refsource_misc
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0154.html

Scores

EPSS 0.1817
EPSS Percentile 95.3%

Details

CWE
CWE-264
Status published
Products (4)
debian/debian_linux 6.0
rubygems/activerecord 3.0.0 - 3.0.19RubyGems
rubyonrails/rails 3.2.0 - 3.2.11
rubyonrails/ruby_on_rails 3.0.0 - 3.0.19
Published Jan 13, 2013
Tracked Since Feb 18, 2026