CVE-2013-6417 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2013-6417 Interim 1 18 2023-12-08T02:33:56Z current 2021-05-30T13:16:05Z 2023-12-08T02:33:56Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2013-6417 actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2014-January/000700.html E-Mail link for SUSE-SU-2014:0152-1 https://lists.suse.com/pipermail/sle-security-updates/2014-January/000701.html E-Mail link for SUSE-SU-2014:0153-1 https://lists.suse.com/pipermail/sle-security-updates/2014-May/000824.html E-Mail link for SUSE-SU-2014:0686-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Lifecycle Management Server 1.3 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise High Availability Extension 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Studio Onsite 1.3 SUSE WebYast 1.3 hawk-0.6.1-0.17.1 hawk-templates-0.6.1-0.17.1 rubygem-actionpack-2_3-2.3.17-0.13.2 rubygem-actionpack-3_2-3.2.12-0.11.1 rubygem-actionpack-3_2-3.2.12-0.19.1 rubygem-actionpack-3_2-3.2.12-0.11.1 as a component of SUSE Lifecycle Management Server 1.3 hawk-0.6.1-0.17.1 as a component of SUSE Linux Enterprise High Availability Extension 11 SP3 hawk-templates-0.6.1-0.17.1 as a component of SUSE Linux Enterprise High Availability Extension 11 SP3 rubygem-actionpack-2_3-2.3.17-0.13.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP2 rubygem-actionpack-3_2-3.2.12-0.19.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 rubygem-actionpack-3_2-3.2.12-0.11.1 as a component of SUSE Studio Onsite 1.3 rubygem-actionpack-3_2-3.2.12-0.11.1 as a component of SUSE WebYast 1.3 actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155. CVE-2013-6417 SUSE Lifecycle Management Server 1.3:rubygem-actionpack-3_2-3.2.12-0.11.1 SUSE Linux Enterprise High Availability Extension 11 SP3:hawk-0.6.1-0.17.1 SUSE Linux Enterprise High Availability Extension 11 SP3:hawk-templates-0.6.1-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP2:rubygem-actionpack-2_3-2.3.17-0.13.2 SUSE Linux Enterprise Software Development Kit 11 SP4:rubygem-actionpack-3_2-3.2.12-0.19.1 SUSE Studio Onsite 1.3:rubygem-actionpack-3_2-3.2.12-0.11.1 SUSE WebYast 1.3:rubygem-actionpack-3_2-3.2.12-0.11.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N