QwikSec

Security Database

CVE

CWE

Training

CVE-2013-3221

Published: Apr 22, 2013

Modified: Aug 6, 2024

PUBLISHED

Description

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/

x_refsource_MISC

[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises

mailing-list

x_refsource_MLIST

http://www.phenoelit.org/blog/archives/2013/02/index.html

x_refsource_MISC

[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2

mailing-list

x_refsource_MLIST

https://gist.github.com/dakull/5442275

x_refsource_CONFIRM

[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.