Vulnerability-Lookup

FKIE_CVE-2013-3221

Vulnerability from fkie_nvd - Published: 2013-04-22 03:27 - Updated: 2025-04-11 00:51

Severity ?

Summary

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.

References

URL	Tags
cve@mitre.org	http://openwall.com/lists/oss-security/2013/02/06/7
cve@mitre.org	http://openwall.com/lists/oss-security/2013/04/24/7
cve@mitre.org	http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/
cve@mitre.org	http://www.phenoelit.org/blog/archives/2013/02/index.html	Exploit
cve@mitre.org	https://gist.github.com/dakull/5442275
cve@mitre.org	https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain
af854a3a-2127-422b-91ae-364da2661108	http://openwall.com/lists/oss-security/2013/02/06/7
af854a3a-2127-422b-91ae-364da2661108	http://openwall.com/lists/oss-security/2013/04/24/7
af854a3a-2127-422b-91ae-364da2661108	http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/
af854a3a-2127-422b-91ae-364da2661108	http://www.phenoelit.org/blog/archives/2013/02/index.html	Exploit
af854a3a-2127-422b-91ae-364da2661108	https://gist.github.com/dakull/5442275
af854a3a-2127-422b-91ae-364da2661108	https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain

Impacted products

Vendor	Product	Version
rubyonrails	rails	2.3.0
rubyonrails	rails	2.3.1
rubyonrails	rails	2.3.2
rubyonrails	rails	2.3.3
rubyonrails	rails	2.3.4
rubyonrails	rails	2.3.9
rubyonrails	rails	2.3.10
rubyonrails	rails	2.3.11
rubyonrails	rails	2.3.12
rubyonrails	rails	2.3.13
rubyonrails	rails	2.3.14
rubyonrails	rails	2.3.15
rubyonrails	rails	2.3.16
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.1
rubyonrails	rails	3.0.1
rubyonrails	rails	3.0.2
rubyonrails	rails	3.0.2
rubyonrails	rails	3.0.3
rubyonrails	rails	3.0.4
rubyonrails	rails	3.0.5
rubyonrails	rails	3.0.5
rubyonrails	rails	3.0.6
rubyonrails	rails	3.0.6
rubyonrails	rails	3.0.6
rubyonrails	rails	3.0.7
rubyonrails	rails	3.0.7
rubyonrails	rails	3.0.7
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.10
rubyonrails	rails	3.0.10
rubyonrails	rails	3.0.11
rubyonrails	rails	3.0.12
rubyonrails	rails	3.0.12
rubyonrails	rails	3.0.13
rubyonrails	rails	3.0.13
rubyonrails	rails	3.0.14
rubyonrails	rails	3.0.16
rubyonrails	rails	3.0.17
rubyonrails	rails	3.0.18
rubyonrails	rails	3.0.19
rubyonrails	rails	3.0.20
rubyonrails	ruby_on_rails	3.0.4
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.1
rubyonrails	rails	3.1.1
rubyonrails	rails	3.1.1
rubyonrails	rails	3.1.1
rubyonrails	rails	3.1.2
rubyonrails	rails	3.1.2
rubyonrails	rails	3.1.2
rubyonrails	rails	3.1.3
rubyonrails	rails	3.1.4
rubyonrails	rails	3.1.4
rubyonrails	rails	3.1.5
rubyonrails	rails	3.1.5
rubyonrails	rails	3.1.6
rubyonrails	rails	3.1.7
rubyonrails	rails	3.1.8
rubyonrails	rails	3.1.9
rubyonrails	rails	3.1.10
rubyonrails	rails	3.2.0
rubyonrails	rails	3.2.0
rubyonrails	rails	3.2.0
rubyonrails	rails	3.2.1
rubyonrails	rails	3.2.2
rubyonrails	rails	3.2.2
rubyonrails	rails	3.2.3
rubyonrails	rails	3.2.3
rubyonrails	rails	3.2.3
rubyonrails	rails	3.2.4
rubyonrails	rails	3.2.4
rubyonrails	rails	3.2.5
rubyonrails	rails	3.2.6
rubyonrails	rails	3.2.7
rubyonrails	rails	3.2.8
rubyonrails	rails	3.2.9
rubyonrails	rails	3.2.10
rubyonrails	rails	3.2.11

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
              "matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
              "matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
              "matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."
    },
    {
      "lang": "es",
      "value": "El componente Active Record en Ruby on Rails 2.3.x, 3.0.x, 3.1.x, y 3.2.x, no asegura que el tipo de dato declarado de una columna de la base de datos sea usado durante la comparaci\u00f3n con los valores de entrada almacenados en dicha columna, lo que facilita a atacantes remotos a llevar a cabo ataques de inyecci\u00f3n de tipos de datos (data-types) contra las aplicaciones de Ruby on Rails a trav\u00e9s de un valor manipulado, como se ha demostrado mediante una transacci\u00f3n entre la caracter\u00edstica \"typed XML\" y la base de datos de MySQL."
    }
  ],
  "id": "CVE-2013-3221",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-04-22T03:27:13.363",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://openwall.com/lists/oss-security/2013/02/06/7"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://openwall.com/lists/oss-security/2013/04/24/7"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://gist.github.com/dakull/5442275"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source\u0026output=gplain"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://openwall.com/lists/oss-security/2013/02/06/7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://openwall.com/lists/oss-security/2013/04/24/7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://gist.github.com/dakull/5442275"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source\u0026output=gplain"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2013-3221 (GCVE-0-2013-3221)

Vulnerability from cvelistv5 – Published: 2013-04-22 01:00 – Updated: 2024-08-06 16:00

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://pl.reddit.com/r/netsec/comments/17yajp/mys…	x_refsource_MISC
	https://groups.google.com/group/rubyonrails-secur…	mailing-listx_refsource_MLIST
	http://www.phenoelit.org/blog/archives/2013/02/in…	x_refsource_MISC
	http://openwall.com/lists/oss-security/2013/04/24/7	mailing-listx_refsource_MLIST
	https://gist.github.com/dakull/5442275	x_refsource_CONFIRM
	http://openwall.com/lists/oss-security/2013/02/06/7	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T16:00:10.162Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"
          },
          {
            "name": "[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source\u0026output=gplain"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"
          },
          {
            "name": "[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2013/04/24/7"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://gist.github.com/dakull/5442275"
          },
          {
            "name": "[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2013/02/06/7"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-02-05T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2013-04-25T09:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"
        },
        {
          "name": "[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source\u0026output=gplain"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"
        },
        {
          "name": "[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2013/04/24/7"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://gist.github.com/dakull/5442275"
        },
        {
          "name": "[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2013/02/06/7"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2013-3221",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/",
              "refsource": "MISC",
              "url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"
            },
            {
              "name": "[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises",
              "refsource": "MLIST",
              "url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source\u0026output=gplain"
            },
            {
              "name": "http://www.phenoelit.org/blog/archives/2013/02/index.html",
              "refsource": "MISC",
              "url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"
            },
            {
              "name": "[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2013/04/24/7"
            },
            {
              "name": "https://gist.github.com/dakull/5442275",
              "refsource": "CONFIRM",
              "url": "https://gist.github.com/dakull/5442275"
            },
            {
              "name": "[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2013/02/06/7"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2013-3221",
    "datePublished": "2013-04-22T01:00:00.000Z",
    "dateReserved": "2013-04-21T00:00:00.000Z",
    "dateUpdated": "2024-08-06T16:00:10.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2013-3221

CVE-2013-3221 (GCVE-0-2013-3221)

Tags

Sightings

Nomenclature