Description
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
Remediation
References
Related Vulnerabilities
MySQL CVE-2020-14643 Vulnerability (CVE-2020-14643)
Oracle Database Server CVE-2009-1993 Vulnerability (CVE-2009-1993)
WordPress Plugin YITH Desktop Notifications for WooCommerce Security Bypass (1.2.7)
XWiki Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2022-41932)
Grafana Insufficiently Protected Credentials Vulnerability (CVE-2022-31130)