Homepage
About Snyk

JSON Parameter Parsing Query Bypass Affecting activerecord package, versions < 3.2.11, >= 3.2 < 3.1.10, >= 3.1 < 3.0.19, >= 2.4 < 2.3.16

0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.37% (73rd percentile)
Expand this section
NVD
6.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIVERECORD-20046
  • published 7 Jan 2013
  • disclosed 7 Jan 2013
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 7 Jan 2013

CVE-2013-0155 Open this link in a new tab
CWE-284 Open this link in a new tab

How to fix?

Upgrade activerecord to versions 3.2.11, 3.1.10, 3.0.19, 2.3.16 or higher.

Overview

ActiveRecord is the Object-Relational Mapping (ORM) that comes out-of-the-box with Rails. It plays the role of Model in the MVC architecture employed by Rails.

Affected versions of this package are vulenrable to JSON Parameter Parsing Query Bypass due to an error with the way it handles parameters combined with an error during the parsing of the JSON parameters. This may allow a remote attacker to bypass restrictions and issue unexpected database queries with IS NULL or empty WHERE clauses, and forcing the query to unexpectedly check for NULL or eliminate a WHERE clause.