CVE-2016-6317
Published on: 09/07/2016 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:12 PM UTC
Certain versions of Rails from Rubyonrails contain the following vulnerability:
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
- CVE-2016-6317 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 7.5 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
---|---|---|---|---|
NETWORK | LOW | NONE | NONE | |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
UNCHANGED | NONE | HIGH | NONE |
CVSS2 Score: 5 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Riding Rails: Rails 5.0.0.1, 4.2.7.1, and 3.2.22.3 have been released! | Release Notes weblog.rubyonrails.org text/html |
![]() |
Red Hat Customer Portal | web.archive.org text/html Inactive LinkNot Archived |
![]() |
oss-security - [CVE-2016-6317] Unsafe Query Generation Risk in Active Record | Mailing List Third Party Advisory www.openwall.com text/html |
![]() |
Ruby on Rails Active Record CVE-2016-6317 SQL Injection Vulnerability | cve.report (archive) text/html |
![]() |
Google Groups | groups.google.com text/html |
![]() |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Rubyonrails | Rails | 4.2.0 | All | All | All |
Application | Rubyonrails | Rails | 4.2.0 | beta1 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | beta2 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | beta3 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | beta4 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | rc2 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | rc3 | All | All |
Application | Rubyonrails | Rails | 4.2.1 | All | All | All |
Application | Rubyonrails | Rails | 4.2.1 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.1 | rc2 | All | All |
Application | Rubyonrails | Rails | 4.2.1 | rc3 | All | All |
Application | Rubyonrails | Rails | 4.2.1 | rc4 | All | All |
Application | Rubyonrails | Rails | 4.2.2 | All | All | All |
Application | Rubyonrails | Rails | 4.2.3 | All | All | All |
Application | Rubyonrails | Rails | 4.2.3 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.4 | All | All | All |
Application | Rubyonrails | Rails | 4.2.4 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.5 | All | All | All |
Application | Rubyonrails | Rails | 4.2.5 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.5 | rc2 | All | All |
Application | Rubyonrails | Rails | 4.2.5.1 | All | All | All |
Application | Rubyonrails | Rails | 4.2.5.2 | All | All | All |
Application | Rubyonrails | Rails | 4.2.6 | All | All | All |
Application | Rubyonrails | Rails | 4.2.6 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.7 | All | All | All |
Application | Rubyonrails | Rails | 4.2.7 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | All | All | All |
Application | Rubyonrails | Rails | 4.2.0 | beta1 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | beta2 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | beta3 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | beta4 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | rc2 | All | All |
Application | Rubyonrails | Rails | 4.2.0 | rc3 | All | All |
Application | Rubyonrails | Rails | 4.2.1 | All | All | All |
Application | Rubyonrails | Rails | 4.2.1 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.1 | rc2 | All | All |
Application | Rubyonrails | Rails | 4.2.1 | rc3 | All | All |
Application | Rubyonrails | Rails | 4.2.1 | rc4 | All | All |
Application | Rubyonrails | Rails | 4.2.2 | All | All | All |
Application | Rubyonrails | Rails | 4.2.3 | All | All | All |
Application | Rubyonrails | Rails | 4.2.3 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.4 | All | All | All |
Application | Rubyonrails | Rails | 4.2.4 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.5 | All | All | All |
Application | Rubyonrails | Rails | 4.2.5 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.5 | rc2 | All | All |
Application | Rubyonrails | Rails | 4.2.5.1 | All | All | All |
Application | Rubyonrails | Rails | 4.2.5.2 | All | All | All |
Application | Rubyonrails | Rails | 4.2.6 | All | All | All |
Application | Rubyonrails | Rails | 4.2.6 | rc1 | All | All |
Application | Rubyonrails | Rails | 4.2.7 | All | All | All |
Application | Rubyonrails | Rails | 4.2.7 | rc1 | All | All |
- cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.6:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.7:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.7:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.6:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.7:*:*:*:*:*:*:*:
- cpe:2.3:a:rubyonrails:rails:4.2.7:rc1:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE