RubySec

Providing security resources for the Ruby community

CVE-2013-0155 (activerecord): Ruby on Rails Active Record JSON Parameter Parsing Query Bypass

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

SEVERITY

CVSS v2: 10.0

PATCHED VERSIONS

  • ~> 2.3.16
  • ~> 3.0.19
  • ~> 3.1.10
  • >= 3.2.11

DESCRIPTION

Ruby on Rails contains a flaw in the Active Record. The issue is due to an error with the way the Active Record handles parameters combined with an error during the parsing of the JSON parameters. This may allow a remote attacker to bypass restrictions abd issue unexpected database queries with “IS NULL” or empty where clauses, and forcing the query to unexpectedly check for NULL or eliminate a WHERE clause.