Moderate severityNVD Advisory· Published Jan 13, 2013· Updated Apr 29, 2026
CVE-2013-0155
CVE-2013-0155
Description
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | >= 3.0.0, < 3.0.19 | 3.0.19 |
activerecordRubyGems | >= 3.1.0, < 3.1.10 | 3.1.10 |
activerecordRubyGems | >= 3.2.0, < 3.2.11 | 3.2.11 |
Affected products
3- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- ics-cert.us-cert.gov/advisories/ICSA-13-036-01AnvdThird Party AdvisoryUS Government ResourceWEB
- lists.apple.com/archives/security-announce/2013/Jun/msg00000.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2013-12/msg00079.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2013-12/msg00081.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2013-12/msg00082.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2014-01/msg00003.htmlnvdMailing ListThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-0154.htmlnvdThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-0155.htmlnvdThird Party Advisory
- support.apple.com/kb/HT5784nvdThird Party AdvisoryWEB
- www.debian.org/security/2013/dsa-2609nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-gppp-5xc5-wfpxghsaADVISORY
- groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2013-0155ghsaADVISORY
- puppet.com/security/cve/cve-2013-0155nvdThird Party Advisory
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0155.ymlghsaWEB
News mentions
0No linked articles in our index yet.