Ruby on Rails Parameter Handling Vulnerability in Active Record Component
CVE-2013-0155

Currently unrated

Key Information:

Vendor: Rubyonrails
Status: Ruby On Rails; Rails
Vendor: CVE Published:; 13 January 2013

🔔 Create Rubyonrails Vulnerability Alert

What is CVE-2013-0155?

The vulnerability in Ruby on Rails affects versions prior to specified releases, where improper handling of parameters between the Active Record component and JSON implementations can be exploited. Attackers may craft specific requests that bypass intended database-query restrictions, allowing them to perform unauthorized NULL checks or activate missing WHERE clauses. This issue connects with prior vulnerabilities, showcasing a significant risk to web application integrity.

References

http://lists.opensuse.org/opensuse-updates/2013-12/msg000...

vendor-advisoryx_refsource_SUSE

http://rhn.redhat.com/errata/RHSA-2013-0155.html

vendor-advisoryx_refsource_REDHAT

http://www.debian.org/security/2013/dsa-2609

vendor-advisoryx_refsource_DEBIAN

EPSS Score

11% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 13, 2013
Vulnerability Reserved
Dec 6, 2012