CVE-2016-6317 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2016-6317 Interim 1 6 2022-03-01T01:44:09Z current 2021-05-30T13:44:41Z 2022-03-01T01:44:09Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2016-6317 Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2017-October/003293.html E-Mail link for SUSE-SU-2017:2716-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Enterprise Storage 3 SUSE Enterprise Storage 4 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 ruby2.1-rubygem-actionmailer-4_2-4.2.9-3.3.1 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.3.1 ruby2.1-rubygem-actionview-4_2-4.2.9-9.3.1 ruby2.1-rubygem-activejob-4_2-4.2.9-3.3.1 ruby2.1-rubygem-activemodel-4_2-4.2.9-6.3.1 ruby2.1-rubygem-activerecord-4_2-4.2.9-6.3.1 ruby2.1-rubygem-activesupport-4_2-4.2.9-7.3.1 ruby2.1-rubygem-rails-4_2-4.2.9-3.3.1 ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.3.1 ruby2.1-rubygem-railties-4_2-4.2.9-3.3.1 ruby2.1-rubygem-actionmailer-4_2-4.2.9-3.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-actionview-4_2-4.2.9-9.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-activejob-4_2-4.2.9-3.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-activemodel-4_2-4.2.9-6.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-activerecord-4_2-4.2.9-6.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-activesupport-4_2-4.2.9-7.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-rails-4_2-4.2.9-3.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-railties-4_2-4.2.9-3.3.1 as a component of SUSE Enterprise Storage 3 ruby2.1-rubygem-actionmailer-4_2-4.2.9-3.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-actionview-4_2-4.2.9-9.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-activejob-4_2-4.2.9-3.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-activemodel-4_2-4.2.9-6.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-activerecord-4_2-4.2.9-6.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-activesupport-4_2-4.2.9-7.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-rails-4_2-4.2.9-3.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-railties-4_2-4.2.9-3.3.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-actionmailer-4_2-4.2.9-3.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-actionview-4_2-4.2.9-9.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-activejob-4_2-4.2.9-3.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-activemodel-4_2-4.2.9-6.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-activerecord-4_2-4.2.9-6.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-activesupport-4_2-4.2.9-7.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-rails-4_2-4.2.9-3.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-railties-4_2-4.2.9-3.3.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-actionmailer-4_2-4.2.9-3.3.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.3.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-actionview-4_2-4.2.9-9.3.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-activejob-4_2-4.2.9-3.3.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-activemodel-4_2-4.2.9-6.3.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-activerecord-4_2-4.2.9-6.3.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-activesupport-4_2-4.2.9-7.3.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-rails-4_2-4.2.9-3.3.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.3.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-railties-4_2-4.2.9-3.3.1 as a component of SUSE OpenStack Cloud 7 Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155. CVE-2016-6317 SUSE Enterprise Storage 3:ruby2.1-rubygem-actionmailer-4_2-4.2.9-3.3.1 SUSE Enterprise Storage 3:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.3.1 SUSE Enterprise Storage 3:ruby2.1-rubygem-actionview-4_2-4.2.9-9.3.1 SUSE Enterprise Storage 3:ruby2.1-rubygem-activejob-4_2-4.2.9-3.3.1 SUSE Enterprise Storage 3:ruby2.1-rubygem-activemodel-4_2-4.2.9-6.3.1 SUSE Enterprise Storage 3:ruby2.1-rubygem-activerecord-4_2-4.2.9-6.3.1 SUSE Enterprise Storage 3:ruby2.1-rubygem-activesupport-4_2-4.2.9-7.3.1 SUSE Enterprise Storage 3:ruby2.1-rubygem-rails-4_2-4.2.9-3.3.1 SUSE Enterprise Storage 3:ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.3.1 SUSE Enterprise Storage 3:ruby2.1-rubygem-railties-4_2-4.2.9-3.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-actionmailer-4_2-4.2.9-3.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-actionview-4_2-4.2.9-9.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-activejob-4_2-4.2.9-3.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-activemodel-4_2-4.2.9-6.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-activerecord-4_2-4.2.9-6.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-activesupport-4_2-4.2.9-7.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-rails-4_2-4.2.9-3.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.3.1 SUSE Enterprise Storage 4:ruby2.1-rubygem-railties-4_2-4.2.9-3.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-actionmailer-4_2-4.2.9-3.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-actionview-4_2-4.2.9-9.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-activejob-4_2-4.2.9-3.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-activemodel-4_2-4.2.9-6.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-activerecord-4_2-4.2.9-6.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-activesupport-4_2-4.2.9-7.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-rails-4_2-4.2.9-3.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.3.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-railties-4_2-4.2.9-3.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-actionmailer-4_2-4.2.9-3.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-actionview-4_2-4.2.9-9.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-activejob-4_2-4.2.9-3.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-activemodel-4_2-4.2.9-6.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-activerecord-4_2-4.2.9-6.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-activesupport-4_2-4.2.9-7.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-rails-4_2-4.2.9-3.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.3.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-railties-4_2-4.2.9-3.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N