VDB

RHSA-2013%3A0154

RHSA-2013%3A0154 PUBLISHED CVSS 4 MEDIUM

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.

Risk Scores

CVSS 2.0
4

Affected Products

VendorProductVersions
Red Hatrubygem-activesupport-1:3.0.10-5.el6cf.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Serverrubygem-activesupport-1:3.0.10-5.el6cf.noarch
Red Hatrubygem-activesupport-1:3.0.10-5.el6cf.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Serverrubygem-activesupport-1:3.0.10-5.el6cf.src
Red Hatrubygem-activerecord-1:3.0.10-8.el6cf.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Serverrubygem-activerecord-1:3.0.10-8.el6cf.noarch
Red Hatrubygem-actionpack-1:3.0.10-11.el6cf.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Serverrubygem-actionpack-1:3.0.10-11.el6cf.noarch
Red Hatrubygem-activerecord-1:3.0.10-8.el6cf.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Serverrubygem-activerecord-1:3.0.10-8.el6cf.src
Red Hatrubygem-actionpack-1:3.0.10-11.el6cf.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Serverrubygem-actionpack-1:3.0.10-11.el6cf.src

Timeline

  • Jan 10, 2013 CVE Published
  • Jan 14, 2013 PoC Published
  • Apr 25, 2013 PoC Published
  • May 27, 2014 PoC Published
  • May 14, 2016 PoC Published
  • Mar 20, 2020 PoC Published
  • Mar 27, 2026 CVE Updated
  • Apr 29, 2026 Distribution Patch
  • Apr 29, 2026 Distribution Patch
  • Apr 29, 2026 Security Advisory
  • Apr 29, 2026 Security Advisory
  • Apr 29, 2026 Security Advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›