---
url: http://osvdb.org/show/osvdb/89025
title: |
  Ruby on Rails Active Record JSON Parameter Parsing Query Bypass 

description: |
  Ruby on Rails contains a flaw in the Active Record. The issue is due to an
  error with the way the Active Record handles parameters combined with an
  error during the parsing of the JSON parameters. This may allow a remote
  attacker to bypass restrictions abd issue unexpected database queries with
  "IS NULL" or empty where clauses, and forcing the query to unexpectedly check
  for NULL or eliminate a WHERE clause.

cvss_v2: 10.0

patched_versions:
  - ~> 3.0.19
  - ~> 3.1.10
  - ">= 3.2.11"