VIR Vulnerability Intelligence Relay

CVE-2016-6317

high
Published 2016-08-11 · Modified 2024-02-20
CVSS v3
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v2
5.0
VIR risk
7.5

Description

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

Predictions

Exploit likelihood
83%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-6317

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-6317.html

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormfixed2:4.2.7.1-1
debian debianbullseyefixed2:4.2.7.1-1
debian debianforkyfixed2:4.2.7.1-1
debian debiansidfixed2:4.2.7.1-1
debian debiantrixiefixed2:4.2.7.1-1

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemsactiverecord!< 4.2.0,!>= 5.0.0||<>= 4.2.7.1>= 4.2.7.1
ruby RubyGemsactiverecord>=4.2.0,<4.2.7.14.2.7.1

Application impact
VendorProductVersionsFixed
rubyonrailsrails4.2.0
rubyonrailsrails4.2.1
rubyonrailsrails4.2.2
rubyonrailsrails4.2.3
rubyonrailsrails4.2.4
rubyonrailsrails4.2.5
rubyonrailsrails4.2.5.1
rubyonrailsrails4.2.5.2
rubyonrailsrails4.2.6
rubyonrailsrails4.2.7

References

CWEs

CWE-284 CWE-476

Verify integrity in audit chain (admin only). AS-IS.