Ruby on Rails Query Manipulation Vulnerability

2019-07-2500:00:00

plugins.openvas.org

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

6.6 Medium

AI Score

Confidence

Low

0.009 Low

EPSS

Percentile

82.4%

JSON

Ruby on Rails is prone to a query manipulation vulnerability.

# SPDX-FileCopyrightText: 2019 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.114115");
  script_version("2023-12-20T05:05:58+0000");
  script_tag(name:"last_modification", value:"2023-12-20 05:05:58 +0000 (Wed, 20 Dec 2023)");
  script_tag(name:"creation_date", value:"2019-07-25 13:34:28 +0200 (Thu, 25 Jul 2019)");
  script_tag(name:"cvss_base", value:"6.4");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:N");

  script_cve_id("CVE-2013-3221");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"Mitigation");

  script_name("Ruby on Rails Query Manipulation Vulnerability");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2019 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_rails_consolidation.nasl");
  script_mandatory_keys("rails/detected");

  script_tag(name:"summary", value:"Ruby on Rails is prone to a query manipulation vulnerability.");

  script_tag(name:"insight", value:"The 'Active Record' component in Ruby on Rails
  does not ensure that the declared data type of a database column is used during
  comparisons of input values to stored values in that column.");

  script_tag(name:"impact", value:"Successful exploitation will make it easier for
  remote attackers to conduct data-type injection attacks against Ruby on Rails
  applications via a crafted value.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"affected", value:"Ruby on Rails versions 2.3.x, 3.0.x, 3.1.x and 3.2.x.");

  script_tag(name:"solution", value:"We recommend to update to Ruby on Rails 4.0.0 or later. However, refer to the linked
  forum post for additional insight. Later versions definitely made fundamental changes to this component, which might
  mitigate this vulnerability to some degree. According to the forum post, the risk will remain, as long as this feature
  is still supported.");

  script_xref(name:"URL", value:"https://groups.google.com/forum/#!original/rubyonrails-security/ZOdH5GH5jCU/zsFgirjAOx8J");
  script_xref(name:"URL", value:"https://www.rapid7.com/db/vulnerabilities/ruby_on_rails-cve-2013-3221");

  exit(0);
}

CPE = "cpe:/a:rubyonrails:rails";

include( "version_func.inc" );
include( "host_details.inc" );

if( isnull( port = get_app_port( cpe: CPE ) ) )
  exit( 0 );

if( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )
  exit( 0 );

version = infos["version"];
location = infos["location"];

if( version_in_range( version: version, test_version: "2.3.0", test_version2: "3.2.22.5" ) ) {
  report = report_fixed_ver( installed_version: version, fixed_version: "4.0.0", install_path: location );
  security_message( data: report, port: port );
  exit( 0 );
}

exit( 99 );