Back to search
CVE-2013-0155
Published: Jan 13, 2013
Modified: Aug 6, 2024
PUBLISHED
Description
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
openSUSE-SU-2013:1906
vendor-advisory
x_refsource_SUSE
RHSA-2013:0155
vendor-advisory
x_refsource_REDHAT
DSA-2609
vendor-advisory
x_refsource_DEBIAN
openSUSE-SU-2014:0009
vendor-advisory
x_refsource_SUSE
https://puppet.com/security/cve/cve-2013-0155
x_refsource_CONFIRM
openSUSE-SU-2013:1907
vendor-advisory
x_refsource_SUSE
http://support.apple.com/kb/HT5784
x_refsource_CONFIRM
APPLE-SA-2013-06-04-1
vendor-advisory
x_refsource_APPLE
openSUSE-SU-2013:1904
vendor-advisory
x_refsource_SUSE
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
x_refsource_MISC
RHSA-2013:0154
vendor-advisory
x_refsource_REDHAT
[rubyonrails-security] 20130108 Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now