CVE-2013-6417

Ruby on Rails 3.x < 3.2.16 and 4.x < 4.0.2 - SQL Query Manipulation via JSON Parameter Handling

Title source: llm

Description

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

References (11)

Core 11

Core References

Mailing List mailing-list x_refsource_mlist

https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-0008.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-0469.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2013-1794.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html

Various Sources x_refsource_confirm

http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/

Various Sources x_refsource_confirm

https://puppet.com/security/cve/cve-2013-6417

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2014/dsa-2888

Scores

EPSS 0.0051

EPSS Percentile 66.7%

Details

CWE

CWE-264

Status published

Products (22)

rubygems/actionpack 3.0.0 - 3.2.16RubyGems

rubyonrails/rails 3.0.0 (7 CPE variants)

rubyonrails/rails 3.0.1 (2 CPE variants)

rubyonrails/rails 3.0.2 (2 CPE variants)

rubyonrails/rails 3.0.3

rubyonrails/rails 3.0.4 rc1

rubyonrails/rails 3.0.5 (2 CPE variants)

rubyonrails/rails 3.0.6 (3 CPE variants)

rubyonrails/rails 3.0.7 (3 CPE variants)

rubyonrails/rails 3.0.8 (5 CPE variants)

... and 12 more

Published Dec 07, 2013

Tracked Since Feb 18, 2026