JSON Parameter Parsing Query Bypass Affecting activerecord package, versions < 3.2.11, >= 3.2 < 3.1.10, >= 3.1 < 3.0.19, >= 2.4 < 2.3.16
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-ACTIVERECORD-20046
- published 7 Jan 2013
- disclosed 7 Jan 2013
- credit Unknown
Introduced: 7 Jan 2013
CVE-2013-0155 Open this link in a new tabHow to fix?
Upgrade activerecord to versions 3.2.11, 3.1.10, 3.0.19, 2.3.16 or higher.
Overview
ActiveRecord is the Object-Relational Mapping (ORM) that comes out-of-the-box with Rails. It plays the role of Model in the MVC architecture employed by Rails.
Affected versions of this package are vulenrable to JSON Parameter Parsing Query Bypass due to an error with the way it handles parameters combined with an error during the parsing of the JSON parameters. This may allow a remote attacker to bypass restrictions and issue unexpected database queries with IS NULL or empty WHERE clauses, and forcing the query to unexpectedly check for NULL or eliminate a WHERE clause.