The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.
No CVSS v3.1
No CVSS v3.0
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None
AV:N/AC:L/Au:N/C:P/I:P/A:N
Vendors | Products |
---|---|
Rubyonrails |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
Configuration 3 [-]
|
Configuration 4 [-]
|
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2013-04-22T01:00:00
Updated: 2013-04-25T09:00:00
Reserved: 2013-04-21T00:00:00
Link: CVE-2013-3221
JSON object: View
NVD Information
Status : Modified
Published: 2013-04-22T03:27:13.363
Modified: 2019-08-08T15:42:45.623
Link: CVE-2013-3221
JSON object: View
Redhat Information
No data.
CWE