CVE-2013-1854 – activerecord

Package

Manager: gem
Name: activerecord
Vulnerable Version: >=2.3.0 <2.3.18 || >=3.1.0 <3.1.12 || >=3.2.0 <3.2.13

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01795 pctl0.82039

Details

Active Record Improper Input Validation The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.

Metadata

Created: 2017-10-24T18:33:37Z
Modified: 2023-08-25T23:15:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-3crr-9vmg-864v/GHSA-3crr-9vmg-864v.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-3crr-9vmg-864v
Finding: F184
Auto approve: 1