[GHSA-q34c-48gc-m9g8] actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request

[levpachmanov]

Updates

• Affected products
• References

Comments
Added the fixing commit.
Fixing commit - rails/rails@2f3bc04
The code in 2.3.18 (already fixed) - https://github.com/rails/rails/blob/v2.3.18/actionpack/lib/action_controller/request.rb#L498
The code was removed in 3.0.0, and re-introduced in 3.0.13 - https://github.com/rails/rails/blob/v3.0.13/actionpack/lib/action_dispatch/http/request.rb#L264

[advisory-database]

Hi @levpachmanov! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!