VDB
RHSA-2013%3A0154
RHSA-2013%3A0154
PUBLISHED
CVSS 4 MEDIUM
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
Risk Scores
CVSS 2.0
4
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | rubygem-activesupport-1:3.0.10-5.el6cf.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server | rubygem-activesupport-1:3.0.10-5.el6cf.noarch |
| Red Hat | rubygem-activesupport-1:3.0.10-5.el6cf.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server | rubygem-activesupport-1:3.0.10-5.el6cf.src |
| Red Hat | rubygem-activerecord-1:3.0.10-8.el6cf.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server | rubygem-activerecord-1:3.0.10-8.el6cf.noarch |
| Red Hat | rubygem-actionpack-1:3.0.10-11.el6cf.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server | rubygem-actionpack-1:3.0.10-11.el6cf.noarch |
| Red Hat | rubygem-activerecord-1:3.0.10-8.el6cf.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server | rubygem-activerecord-1:3.0.10-8.el6cf.src |
| Red Hat | rubygem-actionpack-1:3.0.10-11.el6cf.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server | rubygem-actionpack-1:3.0.10-11.el6cf.src |
Timeline
- Jan 10, 2013 CVE Published
- Jan 14, 2013 PoC Published
- Apr 25, 2013 PoC Published
- May 27, 2014 PoC Published
- May 14, 2016 PoC Published
- Mar 20, 2020 PoC Published
- Mar 27, 2026 CVE Updated
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Security Advisory
- Apr 29, 2026 Security Advisory
- Apr 29, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2013:0154 advisory
- https://access.redhat.com/security/updates/classification/#critical advisory
- https://access.redhat.com/knowledge/solutions/290903 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=827353 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=827363 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=831573 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=831581 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=843711 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=847196 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=847199 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=847200 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=889649 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=892866 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=892870 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0154.json advisory
- https://access.redhat.com/security/cve/CVE-2012-2660 advisory
- https://www.cve.org/CVERecord?id=CVE-2012-2660 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2012-2660 advisory
- https://access.redhat.com/security/cve/CVE-2012-2661 advisory
- https://www.cve.org/CVERecord?id=CVE-2012-2661 advisory
…and 29 more