Novell Home


Common Vulnerabilities and Exposures

[Previous] [Index] [Next]

Upstream information

CVE-2013-6417 at MITRE


actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

NVD CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)

SUSE information

SUSE Bugzilla entries: 846239, 853625, 853627, 854786

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise High Availability Extension 11 SP3
  • hawk >= 0.6.1-0.17.1
  • hawk-templates >= 0.6.1-0.17.1
SAT Patch Nr: 9208
SUSE Lifecycle Management Server 1.3
SUSE Studio Onsite 1.3
WebYaST 1.3
  • rubygem-actionpack-3_2 >= 3.2.12-0.11.1
SAT Patch Nr: 8667

© 2015 Novell