Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
{
"cpe": [
"cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.7:*:*:*:*:*:*:*",
"cpe:2.3:a:rubyonrails:rails:4.2.7:rc1:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "4.2.0"
},
{
"last_affected": "4.2.0"
},
{
"introduced": "4.2.0-beta1"
},
{
"last_affected": "4.2.0-beta1"
},
{
"introduced": "4.2.0-beta2"
},
{
"last_affected": "4.2.0-beta2"
},
{
"introduced": "4.2.0-beta3"
},
{
"last_affected": "4.2.0-beta3"
},
{
"introduced": "4.2.0-beta4"
},
{
"last_affected": "4.2.0-beta4"
},
{
"introduced": "4.2.0-rc1"
},
{
"last_affected": "4.2.0-rc1"
},
{
"introduced": "4.2.0-rc2"
},
{
"last_affected": "4.2.0-rc2"
},
{
"introduced": "4.2.0-rc3"
},
{
"last_affected": "4.2.0-rc3"
},
{
"introduced": "4.2.1"
},
{
"last_affected": "4.2.1"
},
{
"introduced": "4.2.1-rc1"
},
{
"last_affected": "4.2.1-rc1"
},
{
"introduced": "4.2.1-rc2"
},
{
"last_affected": "4.2.1-rc2"
},
{
"introduced": "4.2.1-rc3"
},
{
"last_affected": "4.2.1-rc3"
},
{
"introduced": "4.2.1-rc4"
},
{
"last_affected": "4.2.1-rc4"
},
{
"introduced": "4.2.2"
},
{
"last_affected": "4.2.2"
},
{
"introduced": "4.2.3"
},
{
"last_affected": "4.2.3"
},
{
"introduced": "4.2.3-rc1"
},
{
"last_affected": "4.2.3-rc1"
},
{
"introduced": "4.2.4"
},
{
"last_affected": "4.2.4"
},
{
"introduced": "4.2.4-rc1"
},
{
"last_affected": "4.2.4-rc1"
},
{
"introduced": "4.2.5"
},
{
"last_affected": "4.2.5"
},
{
"introduced": "4.2.5-rc1"
},
{
"last_affected": "4.2.5-rc1"
},
{
"introduced": "4.2.5-rc2"
},
{
"last_affected": "4.2.5-rc2"
},
{
"introduced": "4.2.5.1"
},
{
"last_affected": "4.2.5.1"
},
{
"introduced": "4.2.5.2"
},
{
"last_affected": "4.2.5.2"
},
{
"introduced": "4.2.6"
},
{
"last_affected": "4.2.6"
},
{
"introduced": "4.2.6-rc1"
},
{
"last_affected": "4.2.6-rc1"
},
{
"introduced": "4.2.7"
},
{
"last_affected": "4.2.7"
},
{
"introduced": "4.2.7-rc1"
},
{
"last_affected": "4.2.7-rc1"
}
],
"source": "CPE_STRING"
}