JSON Parameter Parsing Query Bypass Affecting activerecord package, versions < 3.2.11, >= 3.2 < 3.1.10, >= 3.1 < 3.0.19, >= 2.4 < 2.3.16
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
7 Jan 2013
7 Jan 2013
How to fix?
activerecord to versions 3.2.11, 3.1.10, 3.0.19, 2.3.16 or higher.
ActiveRecord is the Object-Relational Mapping (ORM) that comes out-of-the-box with Rails. It plays the role of Model in the MVC architecture employed by Rails.
Affected versions of this package are vulenrable to JSON Parameter Parsing Query Bypass due to an error with the way it handles parameters combined with an error during the parsing of the JSON parameters. This may allow a remote attacker to bypass restrictions and issue unexpected database queries with
IS NULL or empty
WHERE clauses, and forcing the query to unexpectedly check for
NULL or eliminate a