CVE-2013-3221 — Improper Input Validation in Rails

CWE-20 — Improper Input Validation CWE-89 — SQL Injection8 documents7 sources

Severity

6.4MEDIUMNVD

EPSS

0.5%

top 34.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Activerecord Project Activerecord Rubyonrails Ruby ON Rails

Timeline

PublishedApr 22

Latest updateMay 14

Description

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages4 packages

▶Debianrubyonrails/rails< 2.3.14.1+3

▶NVDrubyonrails/rails56 versions+55

▶NVDrubyonrails/ruby_on_rails3.0.4

▶RubyGemsactiverecord_project/activerecord< 4.2.0

🔴Vulnerability Details

OSV

Active Record component in Ruby on Rails has a data-type injection vulnerability↗2022-05-14

▶

GHSA

Active Record component in Ruby on Rails has a data-type injection vulnerability↗2022-05-14

▶

OSV

CVE-2013-3221: The Active Record component in Ruby on Rails 2↗2013-04-22

▶

CVEList

CVE-2013-3221: The Active Record component in Ruby on Rails 2↗2013-04-22

▶

📋Vendor Advisories

Red Hat

rubygem-activerecord: Data-type injection attacks due absent database column data type (input vs stored value) check↗2013-02-07

▶

Debian

CVE-2013-3221: rails - The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does...↗2013

▶

💬Community

Bugzilla

CVE-2013-3221 rubygem-activerecord: Data-type injection attacks due absent database column data type (input vs stored value) check↗2013-04-22

▶