← Back

CVE-2016-6317

nvd nist
Published: Sep 7, 2016Modified: May 6, 2026

JSON object

Loading...
7.5
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

Affected (27)

Products: Rubyonrails: Rails
Rubyonrails
1 product
Rails
Configuration A
27 vulnerable
Vulnerable SoftwareAffected Versions
Rubyonrails
Rails
Version 4.2.0
Rails
Version 4.2.0 beta1
Rails
Version 4.2.0 beta2
Rails
Version 4.2.0 beta3
Rails
Version 4.2.0 beta4
Rails
Version 4.2.0 rc1
Rails
Version 4.2.0 rc2
Rails
Version 4.2.0 rc3
Rails
Version 4.2.1
Rails
Version 4.2.1 rc1
Rails
Version 4.2.1 rc2
Rails
Version 4.2.1 rc3
Rails
Version 4.2.1 rc4
Rails
Version 4.2.2
Rails
Version 4.2.3
Rails
Version 4.2.3 rc1
Rails
Version 4.2.4
Rails
Version 4.2.4 rc1
Rails
Version 4.2.5.1
Rails
Version 4.2.5.2
Rails
Version 4.2.5
Rails
Version 4.2.5 rc1
Rails
Version 4.2.5 rc2
Rails
Version 4.2.6
Rails
Version 4.2.6 rc1
Rails
Version 4.2.7
Rails
Version 4.2.7 rc1

Related CWEs

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-476
NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.

References (10)

Source: secalert@redhat.com
Source: secalert@redhat.com
Release Notes
Source: secalert@redhat.com
Mailing ListThird Party Advisory
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.