6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
73.7%
Due to the way that Rack::Request
and Rails::Request
interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries with IS NULL
or empty where clauses.
CPE | Name | Operator | Version |
---|---|---|---|
gem/actionpack | ge | 2.0.0 | |
gem/actionpack | lt | 3.2.16 | |
gem/actionpack | ge | 4.0.0.beta1 | |
gem/actionpack | lt | 4.0.2 |