Moderate severityNVD Advisory· Published Jan 13, 2013· Updated Jun 16, 2026
CVE-2013-0155
CVE-2013-0155
Description
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | >= 3.0.0, < 3.0.19 | 3.0.19 |
activerecordRubyGems | >= 3.1.0, < 3.1.10 | 3.1.10 |
activerecordRubyGems | >= 3.2.0, < 3.2.11 | 3.2.11 |
Affected products
4Patches
Vulnerability mechanics
References
15- ics-cert.us-cert.gov/advisories/ICSA-13-036-01AnvdThird Party AdvisoryUS Government ResourceWEB
- lists.apple.com/archives/security-announce/2013/Jun/msg00000.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2013-12/msg00079.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2013-12/msg00081.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2013-12/msg00082.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2014-01/msg00003.htmlnvdMailing ListThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-0154.htmlnvdThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-0155.htmlnvdThird Party Advisory
- support.apple.com/kb/HT5784nvdThird Party AdvisoryWEB
- www.debian.org/security/2013/dsa-2609nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-gppp-5xc5-wfpxghsaADVISORY
- groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2013-0155ghsaADVISORY
- puppet.com/security/cve/cve-2013-0155nvdThird Party Advisory
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0155.ymlghsaWEB
News mentions
0No linked articles in our index yet.