CVE-2013-0155 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2013-0155 Interim 1 12 2023-12-09T01:41:46Z current 2021-05-30T13:08:03Z 2023-12-09T01:41:46Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2013-0155 Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2013-March/000391.html E-Mail link for SUSE-SU-2013:0486-1 https://lists.suse.com/pipermail/sle-security-updates/2013-March/000394.html E-Mail link for SUSE-SU-2013:0508-1 https://lists.suse.com/pipermail/sle-security-updates/2013-April/000406.html E-Mail link for SUSE-SU-2013:0606-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KMVCZZTRUSUFV6LLNAQMWSUAF6Y7SERC/#KMVCZZTRUSUFV6LLNAQMWSUAF6Y7SERC E-Mail link for openSUSE-SU-2013:0278-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GBLQOM2XYV3J24EPNTAKUGMURAOQGL2Y/#GBLQOM2XYV3J24EPNTAKUGMURAOQGL2Y E-Mail link for openSUSE-SU-2013:0280-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Studio Onsite Runner 1.2 rubygem-actionmailer-2_3-2.3.17-0.6.1 rubygem-actionmailer-2_3-2.3.17-0.9.1 rubygem-actionpack-2_3-2.3.17-0.6.1 rubygem-actionpack-2_3-2.3.17-0.9.1 rubygem-actionpack-3_2-3.2.12-0.19.1 rubygem-activerecord-2_3-2.3.17-0.6.1 rubygem-activerecord-2_3-2.3.17-0.9.1 rubygem-activerecord-3_2-3.2.12-0.11.1 rubygem-activeresource-2_3-2.3.17-0.6.1 rubygem-activeresource-2_3-2.3.17-0.9.1 rubygem-activesupport-2_3-2.3.17-0.6.1 rubygem-activesupport-2_3-2.3.17-0.9.1 rubygem-rails-2.3.17-0.8.1 rubygem-rails-2_3-2.3.17-0.6.2 rubygem-rails-2_3-2.3.17-0.9.1 rubygem-actionmailer-2_3-2.3.17-0.9.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP2 rubygem-actionpack-2_3-2.3.17-0.9.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP2 rubygem-activerecord-2_3-2.3.17-0.9.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP2 rubygem-activeresource-2_3-2.3.17-0.9.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP2 rubygem-activesupport-2_3-2.3.17-0.9.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP2 rubygem-rails-2.3.17-0.8.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP2 rubygem-rails-2_3-2.3.17-0.9.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP2 rubygem-actionpack-3_2-3.2.12-0.19.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 rubygem-activerecord-3_2-3.2.12-0.11.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 rubygem-actionmailer-2_3-2.3.17-0.6.1 as a component of SUSE Studio Onsite Runner 1.2 rubygem-actionpack-2_3-2.3.17-0.6.1 as a component of SUSE Studio Onsite Runner 1.2 rubygem-activerecord-2_3-2.3.17-0.6.1 as a component of SUSE Studio Onsite Runner 1.2 rubygem-activeresource-2_3-2.3.17-0.6.1 as a component of SUSE Studio Onsite Runner 1.2 rubygem-activesupport-2_3-2.3.17-0.6.1 as a component of SUSE Studio Onsite Runner 1.2 rubygem-rails-2_3-2.3.17-0.6.2 as a component of SUSE Studio Onsite Runner 1.2 Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694. CVE-2013-0155 SUSE Linux Enterprise Software Development Kit 11 SP2:rubygem-actionmailer-2_3-2.3.17-0.9.1 SUSE Linux Enterprise Software Development Kit 11 SP2:rubygem-actionpack-2_3-2.3.17-0.9.1 SUSE Linux Enterprise Software Development Kit 11 SP2:rubygem-activerecord-2_3-2.3.17-0.9.1 SUSE Linux Enterprise Software Development Kit 11 SP2:rubygem-activeresource-2_3-2.3.17-0.9.1 SUSE Linux Enterprise Software Development Kit 11 SP2:rubygem-activesupport-2_3-2.3.17-0.9.1 SUSE Linux Enterprise Software Development Kit 11 SP2:rubygem-rails-2.3.17-0.8.1 SUSE Linux Enterprise Software Development Kit 11 SP2:rubygem-rails-2_3-2.3.17-0.9.1 SUSE Linux Enterprise Software Development Kit 11 SP4:rubygem-actionpack-3_2-3.2.12-0.19.1 SUSE Linux Enterprise Software Development Kit 11 SP4:rubygem-activerecord-3_2-3.2.12-0.11.1 SUSE Studio Onsite Runner 1.2:rubygem-actionmailer-2_3-2.3.17-0.6.1 SUSE Studio Onsite Runner 1.2:rubygem-actionpack-2_3-2.3.17-0.6.1 SUSE Studio Onsite Runner 1.2:rubygem-activerecord-2_3-2.3.17-0.6.1 SUSE Studio Onsite Runner 1.2:rubygem-activeresource-2_3-2.3.17-0.6.1 SUSE Studio Onsite Runner 1.2:rubygem-activesupport-2_3-2.3.17-0.6.1 SUSE Studio Onsite Runner 1.2:rubygem-rails-2_3-2.3.17-0.6.2 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N