Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2013-6417

Опубликовано: 03 дек. 2013
Источник: redhat
CVSS2: 6.4
EPSS Низкий

Описание

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Enterprise 1ruby193-rubygem-actionpackWill not fix
Red Hat OpenStack Platform 4ruby193-rubygem-actionpackAffected
Red Hat Satellite 6ruby193-rubygem-actionpackAffected
Red Hat Software Collectionsror40-rubygem-actionpackNot affected
Red Hat Subscription Asset Managerruby193-rubygem-actionpackAffected
Red Hat Subscription Asset Managerrubygem-actionpackWill not fix
CloudForms Management Engine 5.xcfmeFixedRHSA-2014:046912.05.2014
CloudForms Management Engine 5.xpostgresql92-postgresqlFixedRHSA-2014:046912.05.2014
CloudForms Management Engine 5.xprinceFixedRHSA-2014:046912.05.2014
CloudForms Management Engine 5.xruby193-rubygem-actionpackFixedRHSA-2014:046912.05.2014

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-89
https://bugzilla.redhat.com/show_bug.cgi?id=1036409rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)

EPSS

Процентиль: 66%
0.00512
Низкий

6.4 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2013-6417

ubuntu
около 12 лет назад

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

nvd логотип

CVE-2013-6417

nvd
около 12 лет назад

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

debian логотип

CVE-2013-6417

debian
около 12 лет назад

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before ...

github логотип

GHSA-wpw7-wxjm-cw8r

github
больше 8 лет назад

actionpack allows bypass of database-query restrictions

EPSS

Процентиль: 66%
0.00512
Низкий

6.4 Medium

CVSS2