Vulnerability Details : CVE-2013-0155
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
Products affected by CVE-2013-0155
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Threat overview for CVE-2013-0155
Top countries where our scanners detected CVE-2013-0155
Top open port discovered on systems with this issue
80
IPs affected by CVE-2013-0155 149
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2013-0155!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2013-0155
13.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-0155
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2013-0155
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-0155
-
http://www.debian.org/security/2013/dsa-2609
Debian -- Security Information -- DSA-2609-1 railsThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0154.html
RHSA-2013:0154 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://support.apple.com/kb/HT5784
About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002 - Apple SupportThird Party Advisory
-
https://puppet.com/security/cve/cve-2013-0155
CVE-2013-0155 | PuppetThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0155.html
Red Hat Customer PortalThird Party Advisory
-
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
Apple - Lists.apple.comMailing List;Third Party Advisory
-
https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain
Google GroepenThird Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
openSUSE-SU-2014:0009-1: moderate: update for rubygem-actionpack-3_2Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
openSUSE-SU-2013:1906-1: moderate: update for rubygem-actionpack-3_2Mailing List;Third Party Advisory
-
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
Access Denied | CISAThird Party Advisory;US Government Resource
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
openSUSE-SU-2013:1907-1: moderate: update for rubygem-actionpack-3_2Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
openSUSE-SU-2013:1904-1: moderate: update for rubygem-actionpack-3_2Mailing List;Third Party Advisory
Jump to