CVE-2013-3221

Name	CVE-2013-3221
Description	The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
rails (PTS)	buster	2:5.2.2.1+dfsg-1+deb10u3	fixed
	buster (security)	2:5.2.2.1+dfsg-1+deb10u5	fixed
	bullseye	2:6.0.3.7+dfsg-2	fixed
	bullseye (security)	2:6.0.3.7+dfsg-2+deb11u1	fixed
	bookworm, sid	2:6.1.7+dfsg-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
rails	source	(unstable)	2.3.14.1	unimportant
rails-3.2	source	(unstable)	(unfixed)	unimportant
ruby-activerecord-2.3	source	wheezy	(unfixed)	end-of-life
ruby-activerecord-2.3	source	(unstable)	(unfixed)	unimportant
ruby-activerecord-3.2	source	(unstable)	(unfixed)	unimportant

Starting with 2.3.14.1 rails is a transition package
This is a general design problem and only mitigated by documented best practices