Skip to content

Commit c9ea300

Browse files
jasnowjasnow
committed
GHSA SYNC: advisories (1 brand new and 1 updated)
1 parent ac90497 commit c9ea300

2 files changed

Lines changed: 40 additions & 2 deletions

File tree

gems/activerecord/CVE-2013-3221.yml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
---
2+
gem: activerecord
3+
framework: rails
4+
cve: 2013-3221
5+
ghsa: f57c-hx33-hvh8
6+
url: https://nvd.nist.gov/vuln/detail/CVE-2013-3221
7+
title: Data-type injection vulnerability
8+
date: 2013-04-21
9+
description: |
10+
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x,
11+
and 3.2.x does not ensure that the declared data type of a database
12+
column is used during comparisons of input values to stored values
13+
in that column, which makes it easier for remote attackers to
14+
conduct data-type injection attacks against Ruby on Rails applications
15+
via a crafted value, as demonstrated by unintended interaction
16+
between the "typed XML" feature and a MySQL database.
17+
18+
## RELEASE INFO
19+
- Phrack writeup says that 'couple of days after the advisory the
20+
issue was "fixed" in Rails 3.2.12 as by the following commit' 921a296.
21+
But "Indeed the vector is completely fixed as of Rails 4.2 almost
22+
two years after the original advisory."
23+
cvss_v2: 6.4
24+
patched_versions:
25+
- ">= 4.2"
26+
related:
27+
url:
28+
- https://nvd.nist.gov/vuln/detail/CVE-2013-3221
29+
- https://github.com/rails/rails/commit/c9909db9f2f81575ef2ea2ed3b4e8743c8d6f1b9
30+
- https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8
31+
- https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce
32+
- http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails
33+
- http://openwall.com/lists/oss-security/2013/02/06/7
34+
- http://openwall.com/lists/oss-security/2013/04/24/7
35+
- https://gist.github.com/marianposaceanu/5442275
36+
- https://web.archive.org/web/20160307143147/http://www.phenoelit.org/blog/archives/2013/02/index.html
37+
- https://github.com/advisories/GHSA-f57c-hx33-hvh8
38+
- https://phrack.org/issues/69/12

rubies/ruby/CVE-2009-1904.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
engine: ruby
33
cve: 2009-1904
4-
ghsa: v74x-h8vc-p3j5
4+
ghsa: prwc-wj59-8vwr
55
osvdb: 55031
66
url: https://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal
77
title: "CVE-2009-1904 ruby: DoS vulnerability in BigDecimal"
@@ -19,5 +19,5 @@ related:
1919
url:
2020
- https://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal
2121
- https://nvd.nist.gov/vuln/detail/CVE-2009-1904
22-
- https://github.com/advisories/GHSA-v74x-h8vc-p3j5
22+
- https://github.com/advisories/GHSA-prwc-wj59-8vwr
2323
- http://www.osvdb.org/show/osvdb/55031

0 commit comments

Comments
 (0)