Skip to main content

Ruby on Rails Multiple Vulnerabilities

Last Update Date: 10 Jan 2013 10:42 Release Date: 10 Jan 2013 5073 Views

RISK: High Risk

TYPE: Servers - Internet App Servers

TYPE: Internet App Servers

Multiple vulnerabilities have been identified in Ruby on Rails. A remote user can generate unsafe queries, bypass authentication systems, inject SQL commands, inject and execute arbitrary code, and cause denial of service conditions.

  1. A remote user can supply a specially crafted data to exploit an Active Record validation flaw and JSON parameter parsing bug to potentially issue unexpected database queries with "IS NULL" or empty where clauses.
  2. The parameter parsing code does not properly cast values from strings to certain data types, which may allow a remote user to compromise a target Rails application.

Impact

  • Cross-Site Scripting
  • Denial of Service
  • Remote Code Execution
  • Security Restriction Bypass

System / Technologies affected

  • Versions prior to 2.3.15, 3.0.19, 3.1.10, and 3.2.11

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.


Vulnerability Identifier


Source


Related Link