---
url: http://www.osvdb.org/show/osvdb/82610
title: Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query Arbitrary IS NULL Clause Injection 

description: >
  Ruby on Rails contains a flaw related to the way ActiveRecord handles
  parameters in conjunction with the way Rack parses query parameters.
  This issue may allow an attacker to inject arbitrary 'IS NULL' clauses
  in to application SQL queries. This may also allow an attacker to have
  the SQL query check for NULL in arbitrary places.

cvss_v2: 7.5

patched_versions:
  - ~> 3.0.13
  - ~> 3.1.5
  - ">= 3.2.4"