CVE-2013-6417

NONECVSS 0.0

0.0

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

🔗 References (22)

secalert@redhathttp://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
secalert@redhathttp://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
secalert@redhathttp://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
secalert@redhathttp://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
secalert@redhathttp://rhn.redhat.com/errata/RHSA-2013-1794.html
secalert@redhathttp://rhn.redhat.com/errata/RHSA-2014-0008.html
secalert@redhathttp://rhn.redhat.com/errata/RHSA-2014-0469.html
secalert@redhathttp://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
secalert@redhathttp://www.debian.org/security/2014/dsa-2888
secalert@redhathttps://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ
secalert@redhathttps://puppet.com/security/cve/cve-2013-6417
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html

Is Your Infrastructure Affected by CVE-2013-6417?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2013-6417

📅 Published

🔄 Last Modified

🔗 References (22)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2013-6417?