Published: 13/01/2013 Updated: 08/08/2019

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

VMScore: 571

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Ruby on Rails 3.0.x prior to 3.0.19, 3.1.x prior to 3.1.10, and 3.2.x prior to 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote malicious users to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails ruby on rails
rubyonrails rails
debian debian linux 6.0

An interpretation conflict can cause the Active Record component of Rails, a web framework for the Ruby programming language, to truncate queries in unexpected ways This may allow attackers to elevate their privileges For the stable distribution (squeeze), this problem has been fixed in version 235-12+squeeze5 We recommend that you upgrade yo ...

Synopsis Important: ruby193-rubygem-actionpack security update Type/Severity Security Advisory: Important Topic Updated ruby193-rubygem-actionpack packages that fix multiple securityissues are now available for Red Hat OpenStack 30The Red Hat Security Response Team has rated this update as havingimportant ...

Synopsis Important: ruby193-rubygem-actionpack security update Type/Severity Security Advisory: Important Topic Updated ruby193-rubygem-actionpack packages that fix multiple securityissues are now available for Red Hat Software Collections 1The Red Hat Security Response Team has rated this update as having ...

Synopsis Critical: Ruby on Rails security update Type/Severity Security Advisory: Critical Topic Updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecordpackages that fix multiple security issues are now available for Red HatSubscription Asset ManagerThe Red Hat Security Response Team ha ...

Synopsis Moderate: Red Hat OpenShift Enterprise 111 update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Enterprise 111 is now availableThe Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerability Scoring System (CVSS) base scores, ...

Debian Bug report logs - #731288 ruby-actionpack-32: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416] Package: ruby-actionpack-32; Maintainer for ruby-actionpack-32 is (unknown); Reported by: Antonio Terceiro <terceiro@debianorg> Date: Wed, 4 Dec 2013 01:09:01 UTC Severi ...

Debian Bug report logs - #697744 ruby-activerecord-32: CVE-2013-0155 Package: ruby-activerecord-32; Maintainer for ruby-activerecord-32 is (unknown); Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Wed, 9 Jan 2013 07:51:07 UTC Severity: grave Tags: security Fixed in version ruby-activerecord-32/326-4 Done: ...

Debian Bug report logs - #731290 ruby-actionpack-40: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416] Package: ruby-actionpack-40; Maintainer for ruby-actionpack-40 is (unknown); Reported by: Antonio Terceiro <terceiro@debianorg> Date: Wed, 4 Dec 2013 01:09:01 UTC Severi ...

Debian Bug report logs - #697722 rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Henri Salo <henr ...

Bootstrapped Rails 3.2.10 to test the remote code exploit CVE-2013-0156

Rails PoC exploits for CVE-2013-0156 and CVE-2013-0155¶ ↑ Bootstrapped a Rails 3210 application with the remote code execution exploit Ref: githubcom/ronin-ruby/ronin-rubygithubcom/blob/rails-pocs/blog/_posts/2013-01-09-rails-pocsmd Setup¶ ↑ Install gem dependencies and fire up the app on port 3002 $ bundle install $ rake db:migrate $ rails s -p

This repo has a dependency which is associated with this CVE-2016-6317 Action Record in Ruby on Rails 42x before 4271 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE claus

CWE-264 https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain http://rhn.redhat.com/errata/RHSA-2013-0154.html http://www.debian.org/security/2013/dsa-2609 http://rhn.redhat.com/errata/RHSA-2013-0155.html http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html http://support.apple.com/kb/HT5784 http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html https://puppet.com/security/cve/cve-2013-0155 https://nvd.nist.gov https://www.debian.org/security/./dsa-2609 https://github.com/bsodmike/rails-exploit-cve-2013-0156

Get Started

CVE-2013-0155

Vulnerability Summary

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect