VIR Vulnerability Intelligence Relay

CVE-2013-6417

medium
Published 2013-12-03 · Modified 2024-11-29
CVSS v3
CVSS v2
6.4
VIR risk
6.4

Description

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-6417

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed0
debian debianbullseyefixed0
debian debianforkyfixed0
debian debiansidfixed0
debian debiantrixiefixed0

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemsactionpack<~> 3.2.16~> 3.2.16
ruby RubyGemsactionpack>=3.0.0,<3.2.163.2.16
ruby RubyGemsactionpack>=4.0.0,<4.0.24.0.2

Application impact
VendorProductVersionsFixed
rubyonrailsrails3.0.0
rubyonrailsrails3.0.1
rubyonrailsrails3.0.2
rubyonrailsrails3.0.3
rubyonrailsrails3.0.4
rubyonrailsrails3.0.5
rubyonrailsrails3.0.6
rubyonrailsrails3.0.7
rubyonrailsrails3.0.8
rubyonrailsrails3.0.9
rubyonrailsrails3.0.10
rubyonrailsrails3.0.11
rubyonrailsrails3.0.12
rubyonrailsrails3.0.13
rubyonrailsrails3.0.14
rubyonrailsrails3.0.16
rubyonrailsrails3.0.17
rubyonrailsrails3.0.18
rubyonrailsrails3.0.19
rubyonrailsrails3.0.20
rubyonrailsrails3.1.0
rubyonrailsrails3.1.1
rubyonrailsrails3.1.2
rubyonrailsrails3.1.3
rubyonrailsrails3.1.4
rubyonrailsrails3.1.5
rubyonrailsrails3.1.6
rubyonrailsrails3.1.7
rubyonrailsrails3.1.8
rubyonrailsrails3.1.9
rubyonrailsrails3.1.10
rubyonrailsrails3.2.0
rubyonrailsrails3.2.1
rubyonrailsrails3.2.2
rubyonrailsrails3.2.3
rubyonrailsrails3.2.4
rubyonrailsrails3.2.5
rubyonrailsrails3.2.6
rubyonrailsrails3.2.7
rubyonrailsrails3.2.8
rubyonrailsrails3.2.9
rubyonrailsrails3.2.10
rubyonrailsrails3.2.11
rubyonrailsrails3.2.12
rubyonrailsrails3.2.13
rubyonrailsruby_on_rails{"endIncluding":"3.2.15"}
rubyonrailsruby_on_rails3.0.4
rubyonrailsruby_on_rails3.1.11
rubyonrailsruby_on_rails3.2.14
rubyonrailsruby_on_rails3.2.15
rubyonrailsrails{"endIncluding":"4.0.1"}
rubyonrailsrails4.0.0
rubyonrailsrails4.0.1

References

CWEs

CWE-264

Verify integrity in audit chain (admin only). AS-IS.