CVE-2013-0155
Published: 13 January 2013
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
Notes
Author | Note |
---|---|
mdeslaur | in Oneiric+, rails package is just for transition |
jdstrand | vulnerabilities are in ruby-actionpack* and ruby-activerecord* in Ubuntu 11.10 and higher per Debian, ruby-actionpack-2.3 not-affected (only ruby-activerecord-2.3) |
Priority
Status
Package | Release | Status |
---|---|---|
rails Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
oneiric |
Not vulnerable
(contains no code)
|
|
precise |
Not vulnerable
(contains no code)
|
|
quantal |
Not vulnerable
(contains no code)
|
|
raring |
Not vulnerable
(contains no code)
|
|
saucy |
Not vulnerable
(contains no code)
|
|
upstream |
Needs triage
|
|
Patches: vendor: http://www.debian.org/security/2013/dsa-2609 |
||
ruby-actionpack-2.3 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
oneiric |
Not vulnerable
|
|
precise |
Not vulnerable
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
saucy |
Not vulnerable
|
|
upstream |
Needs triage
|
|
ruby-actionpack-3.2 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Released
(3.2.6-4ubuntu0.1)
|
|
raring |
Not vulnerable
(3.2.6-5)
|
|
saucy |
Not vulnerable
(3.2.6-5)
|
|
upstream |
Released
(3.2.6-5)
|
|
ruby-activerecord-2.3 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
oneiric |
Released
(2.3.14-1ubuntu0.11.10.1)
|
|
precise |
Released
(2.3.14-1ubuntu0.12.04.1)
|
|
quantal |
Released
(2.3.14-2ubuntu0.1)
|
|
raring |
Released
(2.3.14-4)
|
|
saucy |
Released
(2.3.14-4)
|
|
upstream |
Released
(2.3.14-4)
|
|
ruby-activerecord-3.2 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Released
(3.2.6-2ubuntu0.1)
|
|
raring |
Not vulnerable
(3.2.6-4)
|
|
saucy |
Not vulnerable
(3.2.6-4)
|
|
upstream |
Released
(3.2.6-4)
|