Contents

--- 
gem: activerecord
framework: rails
cve: 2013-0155
osvdb: 89025
url: http://osvdb.org/show/osvdb/89025
title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass 
date: 2013-01-08

description: |
  Ruby on Rails contains a flaw in the Active Record. The issue is due to an
  error with the way the Active Record handles parameters combined with an
  error during the parsing of the JSON parameters. This may allow a remote
  attacker to bypass restrictions abd issue unexpected database queries with
  "IS NULL" or empty where clauses, and forcing the query to unexpectedly check
  for NULL or eliminate a WHERE clause.

cvss_v2: 10.0

patched_versions: 
  - ~> 2.3.16
  - ~> 3.0.19
  - ~> 3.1.10
  - ">= 3.2.11"

Version data entries

14 entries across 14 versions & 3 rubygems

Version	Path
bundler-budit-0.6.2	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
bundler-budit-0.6.1	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
bundler-audit-0.6.1	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
bundler-audit-0.6.0	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
bundler-audit-0.5.0	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
bundler-audit-0.4.0	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
bundler-audit-0.3.1	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
mrjoy-bundler-audit-0.3.3	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
mrjoy-bundler-audit-0.3.2	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
mrjoy-bundler-audit-0.3.1	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
bundler-audit-0.3.0	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
mrjoy-bundler-audit-0.2.1	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
bundler-audit-0.2.0	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
mrjoy-bundler-audit-0.1.4	data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml