CVE-2013-0155
Description
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform null checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
Risk Information
Base Score
8.6
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
EPSS Score
Exploitation Probability
18.174
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2013-0155 are fixed in Ruby-activerecord 3.0.19 | Windows |
| Vulnerabilities CVE-2013-0155 are fixed in Ruby-activerecord 3.1.10 | Windows |
| Vulnerabilities CVE-2013-0155 are fixed in Ruby-activerecord 3.2.11 | Windows |
| Vulnerabilities CVE-2013-0155 are fixed in Ruby-activerecord for Linux 3.0.19 | Linux |
| Vulnerabilities CVE-2013-0155 are fixed in Ruby-activerecord for Linux 3.1.10 | Linux |
| Vulnerabilities CVE-2013-0155 are fixed in Ruby-activerecord for Linux 3.2.11 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234