CVE-2013-0155 in Ruby on Railsinformation

Résumé (Anglaise)

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Réserver

06/12/2012

Divulgation

13/01/2013

Statut

Confirmé

Entrées

VulDB provides additional information and datapoints for this CVE:

ID	Vulnérabilité	CWE	Exp	Con	CVE
7308	Ruby on Rails JSON Parameter Par élévation de privilèges	264	Preuve de concept	Correctif officiel	CVE-2013-0155

Description

CPE

CWE

CVSS

Exploits

Histoire

Diff

Relier

Renseignements sur les menaces

API JSON

API XML

API CSV

Sources

◂ PrécédentAperçuSuivant ▸

Want to know what is going to be exploited?

We predict KEV entries!