CVE-2013-6417 in Ruby on RailsИнформация

Сводка

по MITRE

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Резервировать

04.11.2013

Раскрытие

06.12.2013

Модерация

принято

Вход

VDB-11376

EPSS

0.02371

KEV

Нет

Деятельности

Очень низкий

Источники

Might our Artificial Intelligence support you?

Check our Alexa App!