CVE-2016-6317

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-6317
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6317.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-6317
Aliases
Related
Published
2016-09-07T19:28:11Z
Modified
2024-09-18T02:29:57.075158Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

References

Affected packages

Debian:11 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:4.2.7.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:4.2.7.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:4.2.7.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/rails/rails

Affected ranges

Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
5d101c33fa19deca00e251152d25090cc152998f
Last affected
6ac6daa43e1c5b7388f8fd69f8117eb7668887c7
Last affected
73521d586981279a99d3ba038d62e2414125df7a
Last affected
7847a19f476fb9bee287681586d872ea43785e53
Last affected
7f2327f65b4117384bec3547ccd5a99028df57e0
Last affected
97ad61e9583e2bf5c57d6f75008cadc80ba9b910
Last affected
a0e0b67b5afbb02d9ea9e48d71ae80b3efb8c0ac
Last affected
bb382b7aee116446518ca4ed1c6472d6b58f42b5
Last affected
dac822ef58ae05f0e805222fa8744116080165ac
Last affected
f1ccb2e6ecb5486179ee6b20438d562ac45de4f4

Affected versions

v0.*

v0.10.0
v0.10.1
v0.11.0
v0.11.1
v0.12.0
v0.13.0
v0.13.1
v0.14.1
v0.14.3
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.4.1
v0.9.5

v1.*

v1.1.0
v1.1.0_RC1
v1.1.1

v2.*

v2.0.0
v2.0.0_PR
v2.0.0_RC1
v2.0.0_RC2
v2.0.1
v2.1.0
v2.1.0_RC1
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.2.1

v3.*

v3.0.0.beta.2
v3.0.0.beta.3
v3.0.0.beta1
v3.0.0.beta2
v3.0.0.beta3
v3.0.0.beta4
v3.0.0_RC
v3.1.0.beta1
v3.1.0.rc1
v3.2.0.rc1

v4.*

v4.0.0.beta1
v4.0.0.rc1
v4.1.0.beta1
v4.1.0.beta2
v4.2.0
v4.2.0.beta1
v4.2.0.beta4
v4.2.0.rc1
v4.2.0.rc2
v4.2.0.rc3
v4.2.1
v4.2.1.rc1
v4.2.1.rc2
v4.2.1.rc3
v4.2.1.rc4
v4.2.2