Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Ruby on Rails SQL注入漏洞
Vulnerability Description
Ruby on Rails(Rails)是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架,它是由大卫-海纳梅尔-韩森从美国37signals公司的项目管理工具Basecamp里分离出来的。 Rails on Ruby中的actionpack/lib/action_dispatch/http/request.rb中存在漏洞。当使用ActionPack时,参数解析Rack的方式中存在漏洞。攻击者可利用该漏洞把“IS NULL”where子句插入到SQL查询中。
CVSS Information
N/A
Vulnerability Type
N/A