CVE-2013-0155

Опубликовано: 13 янв. 2013

Источник: nvd

CVSS2: 6.4

EPSS Средний

Описание

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.

Ссылки

http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
Third Party Advisory
US Government Resource
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
Mailing List
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0154.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0155.html
Third Party Advisory
http://support.apple.com/kb/HT5784
Third Party Advisory
http://www.debian.org/security/2013/dsa-2609
Third Party Advisory
https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain
Third Party Advisory
https://puppet.com/security/cve/cve-2013-0155
Third Party Advisory
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
Third Party Advisory
US Government Resource
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
Mailing List
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0154.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0155.html
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

Версия от 3.2.0 (включая) до 3.2.11 (исключая)

cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*

Версия от 3.0.0 (включая) до 3.0.19 (исключая)

cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*

Версия от 3.1.0 (включая) до 3.1.10 (исключая)

Конфигурация 2

cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*

EPSS

Процентиль: 94%

0.12544

Средний

6.4 Medium

CVSS2

Дефекты

CWE-264

Связанные уязвимости

CVE-2013-0155

ubuntu

около 13 лет назад

CVE-2013-0155

redhat

около 13 лет назад

CVE-2013-0155

debian

около 13 лет назад

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x befo ...

GHSA-gppp-5xc5-wfpx

github

больше 8 лет назад

Active Record allows bypassing of database-query restrictions

EPSS

Процентиль: 94%

0.12544

Средний

6.4 Medium

CVSS2

Дефекты

CWE-264