CVE-2013-6417

Published: Dec 7, 2013Modified: Apr 29, 2026

6.4

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability: 10.0 / Impact: 4.9

Source: NVD

Description

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

Affected (108)

Products: Rubyonrails: Rails, Ruby On Rails

Rubyonrails

2 products

Rails

Ruby On Rails

Configuration A

102 vulnerable

Vulnerable Software	Affected Versions
Rubyonrails Rails	Version 3.0.0
Rubyonrails Rails	Version 3.0.0 beta2
Rubyonrails Rails	Version 3.0.0 beta3
Rubyonrails Rails	Version 3.0.0 beta4
Rubyonrails Rails	Version 3.0.0 beta
Rubyonrails Rails	Version 3.0.0 rc2
Rubyonrails Rails	Version 3.0.0 rc
Rubyonrails Rails	Version 3.0.10
Rubyonrails Rails	Version 3.0.10 rc1
Rubyonrails Rails	Version 3.0.11
Rubyonrails Rails	Version 3.0.12
Rubyonrails Rails	Version 3.0.12 rc1
Rubyonrails Rails	Version 3.0.13
Rubyonrails Rails	Version 3.0.13 rc1
Rubyonrails Rails	Version 3.0.14
Rubyonrails Rails	Version 3.0.16
Rubyonrails Rails	Version 3.0.17
Rubyonrails Rails	Version 3.0.18
Rubyonrails Rails	Version 3.0.19
Rubyonrails Rails	Version 3.0.1
Rubyonrails Rails	Version 3.0.1 pre
Rubyonrails Rails	Version 3.0.20
Rubyonrails Rails	Version 3.0.2
Rubyonrails Rails	Version 3.0.2 pre
Rubyonrails Rails	Version 3.0.3
Rubyonrails Rails	Version 3.0.4 rc1
Rubyonrails Rails	Version 3.0.5
Rubyonrails Rails	Version 3.0.5 rc1
Rubyonrails Rails	Version 3.0.6
Rubyonrails Rails	Version 3.0.6 rc1
Rubyonrails Rails	Version 3.0.6 rc2
Rubyonrails Rails	Version 3.0.7
Rubyonrails Rails	Version 3.0.7 rc1
Rubyonrails Rails	Version 3.0.7 rc2
Rubyonrails Rails	Version 3.0.8
Rubyonrails Rails	Version 3.0.8 rc1
Rubyonrails Rails	Version 3.0.8 rc2
Rubyonrails Rails	Version 3.0.8 rc3
Rubyonrails Rails	Version 3.0.8 rc4
Rubyonrails Rails	Version 3.0.9
Rubyonrails Rails	Version 3.0.9 rc1
Rubyonrails Rails	Version 3.0.9 rc2
Rubyonrails Rails	Version 3.0.9 rc3
Rubyonrails Rails	Version 3.0.9 rc4
Rubyonrails Rails	Version 3.0.9 rc5
Rubyonrails Rails	Version 3.1.0
Rubyonrails Rails	Version 3.1.0 beta1
Rubyonrails Rails	Version 3.1.0 rc1
Rubyonrails Rails	Version 3.1.0 rc2
Rubyonrails Rails	Version 3.1.0 rc3
Rubyonrails Rails	Version 3.1.0 rc4
Rubyonrails Rails	Version 3.1.0 rc5
Rubyonrails Rails	Version 3.1.0 rc6
Rubyonrails Rails	Version 3.1.0 rc7
Rubyonrails Rails	Version 3.1.0 rc8
Rubyonrails Rails	Version 3.1.10
Rubyonrails Rails	Version 3.1.1
Rubyonrails Rails	Version 3.1.1 rc1
Rubyonrails Rails	Version 3.1.1 rc2
Rubyonrails Rails	Version 3.1.1 rc3
Rubyonrails Rails	Version 3.1.2
Rubyonrails Rails	Version 3.1.2 rc1
Rubyonrails Rails	Version 3.1.2 rc2
Rubyonrails Rails	Version 3.1.3
Rubyonrails Rails	Version 3.1.4
Rubyonrails Rails	Version 3.1.4 rc1
Rubyonrails Rails	Version 3.1.5
Rubyonrails Rails	Version 3.1.5 rc1
Rubyonrails Rails	Version 3.1.6
Rubyonrails Rails	Version 3.1.7
Rubyonrails Rails	Version 3.1.8
Rubyonrails Rails	Version 3.1.9
Rubyonrails Rails	Version 3.2.0
Rubyonrails Rails	Version 3.2.0 rc1
Rubyonrails Rails	Version 3.2.0 rc2
Rubyonrails Rails	Version 3.2.10
Rubyonrails Rails	Version 3.2.11
Rubyonrails Rails	Version 3.2.12
Rubyonrails Rails	Version 3.2.13
Rubyonrails Rails	Version 3.2.13 rc1
Rubyonrails Rails	Version 3.2.13 rc2
Rubyonrails Rails	Version 3.2.1
Rubyonrails Rails	Version 3.2.2
Rubyonrails Rails	Version 3.2.2 rc1
Rubyonrails Rails	Version 3.2.3
Rubyonrails Rails	Version 3.2.3 rc1
Rubyonrails Rails	Version 3.2.3 rc2
Rubyonrails Rails	Version 3.2.4
Rubyonrails Rails	Version 3.2.4 rc1
Rubyonrails Rails	Version 3.2.5
Rubyonrails Rails	Version 3.2.6
Rubyonrails Rails	Version 3.2.7
Rubyonrails Rails	Version 3.2.8
Rubyonrails Rails	Version 3.2.9
Rubyonrails Ruby On Rails	Up to 3.2.15
Rubyonrails Ruby On Rails	Version 3.0.4
Rubyonrails Ruby On Rails	Version 3.1.11
Rubyonrails Ruby On Rails	Version 3.2.14
Rubyonrails Ruby On Rails	Version 3.2.14 rc1
Rubyonrails Ruby On Rails	Version 3.2.14 rc2
Rubyonrails Ruby On Rails	Version 3.2.15 rc1
Rubyonrails Ruby On Rails	Version 3.2.15 rc2

Configuration B

6 vulnerable

Vulnerable Software	Affected Versions
Rubyonrails Rails	Up to 4.0.1
Rubyonrails Rails	Version 4.0.0
Rubyonrails Rails	Version 4.0.0 beta
Rubyonrails Rails	Version 4.0.0 rc1
Rubyonrails Rails	Version 4.0.0 rc2
Rubyonrails Rails	Version 4.0.1 rc1