CVE-2013-3221

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions 2.3.x through 3.2.x

Description The issue allows remote attackers to conduct data-type injection attacks against Ruby on Rails applications. This is due to the Active Record component not ensuring that the declared data type of a database column is used during comparisons of input values to stored values in that column. The attack can be carried out via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.

Recommendations For versions 2.3.x through 3.2.x, update to a version that ensures the declared data type of a database column is used during comparisons of input values to stored values in that column. As a temporary workaround, consider restricting the use of the "typed XML" feature to minimize the risk of exploitation.