1. Home
  2. CVE Database
  3. CVE-2013-3221
MEDIUM · 6.4

CVE-2013-3221

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values...

Vulnerability Description

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.

CVSS Score

6.4

MEDIUM

AV:N/AC:L/Au:N/C:P/I:P/A:N
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
NONE

Affected Products

VendorProductVersions
RubyonrailsRails2.3.0
RubyonrailsRuby On Rails3.0.4

Related Weaknesses (CWE)

CWE-20

References

FAQ

What is CVE-2013-3221?

CVE-2013-3221 is a vulnerability with a CVSS score of 6.4 (MEDIUM). The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values...

How severe is CVE-2013-3221?

CVE-2013-3221 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-3221?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails, Rubyonrails Ruby On Rails.