ActiveRecord in Ruby on Rails allows database-query bypass

🗓️ 24 Oct 2017 18:33:35Reported by GitHub Advisory DatabaseType

ActiveRecord in Ruby on Rails 4.2.x allows database-query bypass, enabling remote attackers to perform NULL checks or trigger missing WHERE clauses via crafted request

Reporter	Title	Published	Views	Family All 55
FreeBSD	Rails 4 -- Unsafe Query Generation Risk in Active Record	11 Aug 201600:00	–	freebsd
CNVD	Ruby on Rails Active Record SQL Injection Vulnerability (CNVD-2016-06338)	16 Aug 201600:00	–	cnvd
CVE	CVE-2016-6317	7 Sep 201619:00	–	cve
Cvelist	CVE-2016-6317	7 Sep 201619:00	–	cvelist
Debian CVE	CVE-2016-6317	7 Sep 201619:00	–	debiancve
EUVD	EUVD-2017-0283	7 Oct 202500:30	–	euvd
Fedora	[SECURITY] Fedora 25 Update: rubygem-actionpack-5.0.0.1-2.fc25	27 Aug 201611:11	–	fedora
Fedora	[SECURITY] Fedora 25 Update: rubygem-actionview-5.0.0.1-2.fc25	27 Aug 201611:11	–	fedora
Fedora	[SECURITY] Fedora 25 Update: rubygem-railties-5.0.0.1-2.fc25	27 Aug 201611:11	–	fedora
Fedora	[SECURITY] Fedora 25 Update: rubygem-activerecord-5.0.0.1-1.fc25	27 Aug 201611:11	–	fedora

Vulners

Node

activerecord_project activerecordRange4.2.0–4.2.7.0rubygems

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2016-6317
groups	www.groups.google.com/forum/
rhn	www.rhn.redhat.com/errata/RHSA-2016-1855.html
weblog	www.weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/
openwall	www.openwall.com/lists/oss-security/2016/08/11/4
github	www.github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2016-6317.yml
groups	www.groups.google.com/forum/
github	www.github.com/advisories/GHSA-pr3r-4wrp-r2pv

04 Jul 2023 00:01Current

7.4High risk

Vulners AI Score7.4

CVSS 25

CVSS 37.5

EPSS0.00381

activerecord ruby on rails database-query restrictions remote attackers json implementation