{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-02-05T00:00:00", "descriptions": [{"lang": "en", "value": "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-04-25T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"}, {"name": "[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain"}, {"tags": ["x_refsource_MISC"], "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"}, {"name": "[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2013/04/24/7"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gist.github.com/dakull/5442275"}, {"name": "[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2013/02/06/7"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-3221", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/", "refsource": "MISC", "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"}, {"name": "[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises", "refsource": "MLIST", "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain"}, {"name": "http://www.phenoelit.org/blog/archives/2013/02/index.html", "refsource": "MISC", "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"}, {"name": "[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2013/04/24/7"}, {"name": "https://gist.github.com/dakull/5442275", "refsource": "CONFIRM", "url": "https://gist.github.com/dakull/5442275"}, {"name": "[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2013/02/06/7"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:00:10.162Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"}, {"name": "[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"}, {"name": "[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2013/04/24/7"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gist.github.com/dakull/5442275"}, {"name": "[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2013/02/06/7"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-3221", "datePublished": "2013-04-22T01:00:00", "dateReserved": "2013-04-21T00:00:00", "dateUpdated": "2024-08-06T16:00:10.162Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", "matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", "matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", "matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", "matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*", "matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*", "matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*", "matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*", "matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", "matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", "matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", "matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", "matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", "matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", "matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", "matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", "matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", "matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", "matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", "matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", "matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", "matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", "matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", "matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", "matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", "matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", "matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", "matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", "matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", "matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", "matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", "matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", "matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."}, {"lang": "es", "value": "El componente Active Record en Ruby on Rails 2.3.x, 3.0.x, 3.1.x, y 3.2.x, no asegura que el tipo de dato declarado de una columna de la base de datos sea usado durante la comparaci\u00f3n con los valores de entrada almacenados en dicha columna, lo que facilita a atacantes remotos a llevar a cabo ataques de inyecci\u00f3n de tipos de datos (data-types) contra las aplicaciones de Ruby on Rails a trav\u00e9s de un valor manipulado, como se ha demostrado mediante una transacci\u00f3n entre la caracter\u00edstica \"typed XML\" y la base de datos de MySQL."}], "id": "CVE-2013-3221", "lastModified": "2024-11-21T01:53:12.260", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-04-22T03:27:13.363", "references": [{"source": "cve@mitre.org", "url": "http://openwall.com/lists/oss-security/2013/02/06/7"}, {"source": "cve@mitre.org", "url": "http://openwall.com/lists/oss-security/2013/04/24/7"}, {"source": "cve@mitre.org", "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"}, {"source": "cve@mitre.org", "url": "https://gist.github.com/dakull/5442275"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2013/02/06/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2013/04/24/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://gist.github.com/dakull/5442275"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "rubygem-activerecord: Data-type injection attacks due absent database column data type (input vs stored value) check", "id": "954365", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=954365"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "draft"}, "details": ["The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."], "name": "CVE-2013-3221", "package_state": [{"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Not affected", "package_name": "rubygem-activerecord", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:cloudforms_tools:1", "fix_state": "Not affected", "package_name": "rubygem-activerecord", "product_name": "Red Hat CloudForms Tools 1"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Not affected", "package_name": "rubygem-activerecord", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2013-02-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-3221\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-3221"], "statement": "Not a security issue. This issue is due to the handling of data types when passing data between rubygem-activerecord and MySQL. Applications that use rubygem-activerecord and MySQL may be affected if written in a way that exposes the issue, however any flaw would be specific to that application. For further information, please refer to https://bugzilla.redhat.com/show_bug.cgi?id=954365#c5", "threat_severity": "Low"}