Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-0155

Overview

Vulnerability Score 6.4 6.4
CVE Id CVE-2013-0155
Last Modified 13 Jan 2014 11:22:16
Published 13 Jan 2013 05:55:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2013-0155

Summary

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.

Vulnerable Systems

Application

  • Rubyonrails Ruby On Rails 3.0.0

  • Rubyonrails Ruby On Rails 3.0.1

  • Rubyonrails Ruby On Rails 3.0.10

  • Rubyonrails Ruby On Rails 3.0.11

  • Rubyonrails Ruby On Rails 3.0.12

  • Rubyonrails Ruby On Rails 3.0.13

  • Rubyonrails Ruby On Rails 3.0.14

  • Rubyonrails Ruby On Rails 3.0.16

  • Rubyonrails Ruby On Rails 3.0.17

  • Rubyonrails Ruby On Rails 3.0.18

  • Rubyonrails Ruby On Rails 3.0.2

  • Rubyonrails Ruby On Rails 3.0.3

  • Rubyonrails Ruby On Rails 3.0.4

  • Rubyonrails Ruby On Rails 3.0.5

  • Rubyonrails Ruby On Rails 3.0.6

  • Rubyonrails Ruby On Rails 3.0.7

  • Rubyonrails Ruby On Rails 3.0.8

  • Rubyonrails Ruby On Rails 3.0.9

  • Rubyonrails Ruby On Rails 3.1.0

  • Rubyonrails Ruby On Rails 3.1.1

  • Rubyonrails Ruby On Rails 3.1.2

  • Rubyonrails Ruby On Rails 3.1.3

  • Rubyonrails Ruby On Rails 3.1.4

  • Rubyonrails Ruby On Rails 3.1.5

  • Rubyonrails Ruby On Rails 3.1.6

  • Rubyonrails Ruby On Rails 3.1.7

  • Rubyonrails Ruby On Rails 3.1.8

  • Rubyonrails Ruby On Rails 3.1.9

  • Rubyonrails Ruby On Rails 3.2.0

  • Rubyonrails Ruby On Rails 3.2.1

  • Rubyonrails Ruby On Rails 3.2.10

  • Rubyonrails Ruby On Rails 3.2.2

  • Rubyonrails Ruby On Rails 3.2.3

  • Rubyonrails Ruby On Rails 3.2.4

  • Rubyonrails Ruby On Rails 3.2.5

  • Rubyonrails Ruby On Rails 3.2.6

  • Rubyonrails Ruby On Rails 3.2.7

  • Rubyonrails Ruby On Rails 3.2.8

  • Rubyonrails Ruby On Rails 3.2.9


References

MLIST - [rubyonrails-security] 20130108 Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)

DEBIAN - DSA-2609

REDHAT - RHSA-2013:0155

REDHAT - RHSA-2013:0154

MISC - http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A

CONFIRM - http://support.apple.com/kb/HT5784

APPLE - APPLE-SA-2013-06-04-1

SUSE - openSUSE-SU-2013:1907

SUSE - openSUSE-SU-2013:1906

SUSE - openSUSE-SU-2013:1904

SUSE - openSUSE-SU-2014:0009


Last Updated: 27 May 2016 10:58:31