← Back to CVEs

CVE-2016-6317

N/A

Description

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

CVE Details

CVSS v3.1 ScoreN/A

Published9/7/2016

Last Modified4/12/2025

Sourcenvd

Honeypot Sightings0

Affected Products

rubyonrails:rails

Weaknesses (CWE)

CWE-284CWE-476

References

http://rhn.redhat.com/errata/RHSA-2016-1855.html(secalert@redhat.com)

http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/(secalert@redhat.com)

http://www.openwall.com/lists/oss-security/2016/08/11/4(secalert@redhat.com)

http://www.securityfocus.com/bid/92434(secalert@redhat.com)

https://groups.google.com/forum/#%21topic/ruby-security-ann/WccgKSKiPZA(secalert@redhat.com)

http://rhn.redhat.com/errata/RHSA-2016-1855.html(af854a3a-2127-422b-91ae-364da2661108)

http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/(af854a3a-2127-422b-91ae-364da2661108)

http://www.openwall.com/lists/oss-security/2016/08/11/4(af854a3a-2127-422b-91ae-364da2661108)

http://www.securityfocus.com/bid/92434(af854a3a-2127-422b-91ae-364da2661108)

https://groups.google.com/forum/#%21topic/ruby-security-ann/WccgKSKiPZA(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.