CVE-2016-6317

moderate-risk

Published 2016-09-07

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

Do I need to act?

0.38% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Rails

Affected Vendors

Rubyonrails

References (10)

http://rhn.redhat.com/errata/RHSA-2016-1855.html

Release Notes http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-...

Mailing List http://www.openwall.com/lists/oss-security/2016/08/11/4

http://www.securityfocus.com/bid/92434

https://groups.google.com/forum/#%21topic/ruby-security-ann/WccgKSKiPZA

http://rhn.redhat.com/errata/RHSA-2016-1855.html

Release Notes http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-...

Mailing List http://www.openwall.com/lists/oss-security/2016/08/11/4

http://www.securityfocus.com/bid/92434

https://groups.google.com/forum/#%21topic/ruby-security-ann/WccgKSKiPZA

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 22/34 · High