Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-59F04E0ACD671317883EA13389FA4831

HistoryMar 19, 2013 - 12:00 a.m.

Symbol DoS vulnerability in Active Record

2013-03-1900:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.089 Low

EPSS

Percentile

94.6%

JSON

When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce params[:name] to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately.

Affected configurations

Vulners

Node

gemactiverecordRange<2.3.18

gemactiverecordRange2.4.0≥

gemactiverecordRange<3.0.0

gemactiverecordRange3.1.0≥

gemactiverecordRange<3.1.12

gemactiverecordRange3.2.0≥

gemactiverecordRange<3.2.13

CPENameOperatorVersion
gem/activerecordlt2.3.18
gem/activerecordge2.4.0
gem/activerecordlt3.0.0
gem/activerecordge3.1.0
gem/activerecordlt3.1.12
gem/activerecordge3.2.0
gem/activerecordlt3.2.13

Name	Operator	Version
gem/activerecord	lt	2.3.18
gem/activerecord	ge	2.4.0
gem/activerecord	lt	3.0.0
gem/activerecord	ge	3.1.0
gem/activerecord	lt	3.1.12
gem/activerecord	ge	3.2.0
gem/activerecord	lt	3.2.13