Ruby

Ruby

By DeepSource

Rails version with ActiveRecord symbol DOS vulnerability detected RB-A1004

Security

Selected versions of Rails 2 & 3 are vulnerable to ActiveRecord symbol denial of service attacks. Upgrading to newer versions of Rails can help fix this issue.

The Active Record component in vulnerable Rails versions processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.

References

  1. CVE-2013-1854 - Rails Security Group
  2. CVE-2013-1854 - GitHub Advisory Database
  3. OWASP Top 10 - A8 - Insecure Deserialization
  4. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities