Unsafe Query Generation Risk in Ruby on Rails
Bug #1100188 reported by
Christian Kuersteiner
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rails (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Quantal |
Invalid
|
Undecided
|
Unassigned | ||
Raring |
Invalid
|
Undecided
|
Unassigned | ||
ruby-actionpack-2.3 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Quantal |
Invalid
|
Undecided
|
Unassigned | ||
Raring |
Invalid
|
Undecided
|
Unassigned | ||
ruby-actionpack-3.2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Christian Kuersteiner | ||
Raring |
Fix Released
|
Undecided
|
Unassigned | ||
ruby-activerecord-2.3 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned | ||
ruby-activerecord-3.2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing.
See also: http://
information type: | Private Security → Public Security |
To post a comment you must log in.
Debian published http:// www.debian. org/security/ 2013/dsa- 2609 for this. Interestingly, they patched squeeze (2.3.5- 1.2+squeeze5) so this might not actually be just for 3.x.