Database Query Bypass in Ruby on Rails Affecting Multiple Versions
CVE-2013-6417

Currently unrated

Key Information:

Vendor: Rubyonrails
Status: Ruby On Rails; Rails
Vendor: CVE Published:; 7 December 2013

🔔 Create Rubyonrails Vulnerability Alert

What is CVE-2013-6417?

The vulnerability identified in Ruby on Rails prior to versions 3.2.16 and 4.0.2 allows remote attackers to exploit differences in parameter handling between the Active Record and JSON implementations. By crafting specific requests that leverage third-party or custom Rack middleware, attackers can bypass intended query restrictions, perform NULL checks, or trigger missing WHERE clauses. This issue arises from an incomplete fix related to an earlier vulnerability, highlighting the importance of ensuring compatibility and security in web application frameworks.

References

http://rhn.redhat.com/errata/RHSA-2014-0008.html

vendor-advisoryx_refsource_REDHAT

http://lists.opensuse.org/opensuse-updates/2013-12/msg000...

vendor-advisoryx_refsource_SUSE

http://rhn.redhat.com/errata/RHSA-2014-0469.html

vendor-advisoryx_refsource_REDHAT

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 7, 2013
Vulnerability Reserved
Nov 4, 2013