CVE-2013-3221

EUVD-2013-3159

22.04.2013, 03:27

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.4 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:P/I:P/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 64%

Affected Products (NVD)

Vendor	Product	Version
rubyonrails	rails	2.3.0
rubyonrails	rails	2.3.1
rubyonrails	rails	2.3.2
rubyonrails	rails	2.3.3
rubyonrails	rails	2.3.4
rubyonrails	rails	2.3.9
rubyonrails	rails	2.3.10
rubyonrails	rails	2.3.11
rubyonrails	rails	2.3.12
rubyonrails	rails	2.3.13
rubyonrails	rails	2.3.14
rubyonrails	rails	2.3.15
rubyonrails	rails	2.3.16
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0:beta
rubyonrails	rails	3.0.0:beta2
rubyonrails	rails	3.0.0:beta3
rubyonrails	rails	3.0.0:beta4
rubyonrails	rails	3.0.0:rc
rubyonrails	rails	3.0.0:rc2
rubyonrails	rails	3.0.1
rubyonrails	rails	3.0.1:pre
rubyonrails	rails	3.0.2
rubyonrails	rails	3.0.2:pre
rubyonrails	rails	3.0.3
rubyonrails	rails	3.0.4:rc1
rubyonrails	rails	3.0.5
rubyonrails	rails	3.0.5:rc1
rubyonrails	rails	3.0.6
rubyonrails	rails	3.0.6:rc1
rubyonrails	rails	3.0.6:rc2
rubyonrails	rails	3.0.7
rubyonrails	rails	3.0.7:rc1
rubyonrails	rails	3.0.7:rc2
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8:rc1
rubyonrails	rails	3.0.8:rc2
rubyonrails	rails	3.0.8:rc3
rubyonrails	rails	3.0.8:rc4
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9:rc1
rubyonrails	rails	3.0.9:rc2
rubyonrails	rails	3.0.9:rc3
rubyonrails	rails	3.0.9:rc4
rubyonrails	rails	3.0.9:rc5
rubyonrails	rails	3.0.10
rubyonrails	rails	3.0.10:rc1
rubyonrails	rails	3.0.11
rubyonrails	rails	3.0.12
rubyonrails	rails	3.0.12:rc1
rubyonrails	rails	3.0.13
rubyonrails	rails	3.0.13:rc1
rubyonrails	rails	3.0.14
rubyonrails	rails	3.0.16
rubyonrails	rails	3.0.17
rubyonrails	rails	3.0.18
rubyonrails	rails	3.0.19
rubyonrails	rails	3.0.20
rubyonrails	ruby_on_rails	3.0.4
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0:beta1
rubyonrails	rails	3.1.0:rc1
rubyonrails	rails	3.1.0:rc2
rubyonrails	rails	3.1.0:rc3
rubyonrails	rails	3.1.0:rc4
rubyonrails	rails	3.1.0:rc5
rubyonrails	rails	3.1.0:rc6
rubyonrails	rails	3.1.0:rc7
rubyonrails	rails	3.1.0:rc8
rubyonrails	rails	3.1.1
rubyonrails	rails	3.1.1:rc1
rubyonrails	rails	3.1.1:rc2
rubyonrails	rails	3.1.1:rc3
rubyonrails	rails	3.1.2
rubyonrails	rails	3.1.2:rc1
rubyonrails	rails	3.1.2:rc2
rubyonrails	rails	3.1.3
rubyonrails	rails	3.1.4
rubyonrails	rails	3.1.4:rc1
rubyonrails	rails	3.1.5
rubyonrails	rails	3.1.5:rc1
rubyonrails	rails	3.1.6
rubyonrails	rails	3.1.7
rubyonrails	rails	3.1.8
rubyonrails	rails	3.1.9
rubyonrails	rails	3.1.10
rubyonrails	rails	3.2.0
rubyonrails	rails	3.2.0:rc1
rubyonrails	rails	3.2.0:rc2
rubyonrails	rails	3.2.1
rubyonrails	rails	3.2.2
rubyonrails	rails	3.2.2:rc1
rubyonrails	rails	3.2.3
rubyonrails	rails	3.2.3:rc1
rubyonrails	rails	3.2.3:rc2
rubyonrails	rails	3.2.4
rubyonrails	rails	3.2.4:rc1
rubyonrails	rails	3.2.5
rubyonrails	rails	3.2.6
rubyonrails	rails	3.2.7
rubyonrails	rails	3.2.8
rubyonrails	rails	3.2.9
rubyonrails	rails	3.2.10
rubyonrails	rails	3.2.11

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rails

bookworm	2:6.1.7.3+dfsg-2~deb12u1 fixed
bullseye	2:6.0.3.7+dfsg-2+deb11u2 fixed
bullseye (security)	2:6.0.3.7+dfsg-2+deb11u2 fixed
sid	2:6.1.7.3+dfsg-4 fixed
trixie	2:6.1.7.3+dfsg-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

ruby-activerecord-2.3

artful	dne
bionic	dne
cosmic	dne
disco	dne
hardy	dne
lucid	dne
oneiric	ignored
precise	ignored
quantal	ignored
raring	ignored
saucy	ignored
trusty	dne
utopic	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

ruby-activerecord-3.2

artful	dne
bionic	dne
cosmic	dne
disco	dne
hardy	dne
lucid	dne
oneiric	dne
precise	dne
quantal	ignored
raring	ignored
saucy	ignored
trusty	dne
utopic	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

Known Exploits!

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://openwall.com/lists/oss-security/2013/02/06/7

http://openwall.com/lists/oss-security/2013/04/24/7

http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/

http://www.phenoelit.org/blog/archives/2013/02/index.html