JSON Parameter Parsing Query Bypass Affecting activerecord package, versions < 3.2.11, >= 3.2 < 3.1.10, >= 3.1 < 3.0.19, >= 2.4 < 2.3.16


0.0
medium
  • Attack Complexity

    Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-RUBY-ACTIVERECORD-20046

  • published

    7 Jan 2013

  • disclosed

    7 Jan 2013

  • credit

    Unknown

How to fix?

Upgrade activerecord to versions 3.2.11, 3.1.10, 3.0.19, 2.3.16 or higher.

Overview

ActiveRecord is the Object-Relational Mapping (ORM) that comes out-of-the-box with Rails. It plays the role of Model in the MVC architecture employed by Rails.

Affected versions of this package are vulenrable to JSON Parameter Parsing Query Bypass due to an error with the way it handles parameters combined with an error during the parsing of the JSON parameters. This may allow a remote attacker to bypass restrictions and issue unexpected database queries with IS NULL or empty WHERE clauses, and forcing the query to unexpectedly check for NULL or eliminate a WHERE clause.