Search...

Ruby on Rails Active Record SQL Injection Vulnerability (Linux)

2016-10-13T00:00:00

ID OPENVAS:1361412562310807378
Type openvas
Reporter Copyright (C) 2016 Greenbone Networks GmbH
Modified 2017-10-24T00:00:00

Description

This host is running Ruby on Rails and is prone to SQL injection vulnerability.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_ruby_on_rails_action_record_sql_inj_vuln_lin.nasl 7545 2017-10-24 11:45:30Z cfischer $
#
# Ruby on Rails Active Record SQL Injection Vulnerability (Linux)
#
# Authors:
# Antu Sanadi &lt;santu@secpod.com&gt;
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = 'cpe:/a:rubyonrails:ruby_on_rails';

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.807378");
  script_version("$Revision: 7545 $");
  script_cve_id("CVE-2016-6317");
  script_bugtraq_id(92434);
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_tag(name:"last_modification", value:"$Date: 2017-10-24 13:45:30 +0200 (Tue, 24 Oct 2017) $");
  script_tag(name:"creation_date", value:"2016-10-13 14:29:38 +0530 (Thu, 13 Oct 2016)");
  script_tag(name:"qod_type", value:"remote_banner_unreliable");
  script_name("Ruby on Rails Active Record SQL Injection Vulnerability (Linux)");

  script_tag(name:"summary", value:"This host is running Ruby on Rails and is
  prone to SQL injection vulnerability.");

  script_tag(name:"vuldetect", value:"Get the installed version with the help
  of detect NVT and check the version is vulnerable or not.");

  script_tag(name:"insight", value:"The flaw is due to the way Active Record
  interprets parameters in combination with the way that JSON parameters are
  parsed, it is possible for an attacker to issue unexpected database queries
  with 'IS NULL' or empty where clauses.");

  script_tag(name:"impact", value:"Successful exploitation will allow a remote
  attacker to bypass intended database-query restrictions and perform NULL checks
  or trigger missing WHERE clauses via a crafted request, as demonstrated by
  certain '[nil]' values.

  Impact Level: Application");

  script_tag(name:"affected", value:"Ruby on Rails 4.2.x before 4.2.7.1 on Linux");

  script_tag(name:"solution", value:"Upgrade to Ruby on Rails 4.2.7.1 or later.
  For updates refer to http://rubyonrails.org");

  script_tag(name:"solution_type", value:"VendorFix");

  script_xref(name : "URL" , value : "http://www.openwall.com/lists/oss-security/2016/08/11/4");
  script_xref(name : "URL" , value : "https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA");
  script_xref(name : "URL" , value : "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
  script_family("Web application abuses");
  script_dependencies("secpod_ruby_rails_detect.nasl", "os_detection.nasl");
  script_mandatory_keys("RubyOnRails/installed", "Host/runs_unixoide");
  script_require_ports("Services/www", 3000);
  exit(0);
}


##
### Code Starts Here
##

include("version_func.inc");
include("host_details.inc");

## Variable Initialization
RubyonRailPort = "";
RubyonRailVer = "";

## Get HTTP Port
if(!RubyonRailPort = get_app_port(cpe:CPE)){
  exit(0);
}

## Get the version
if(!RubyonRailVer = get_app_version(cpe:CPE, port:RubyonRailPort)){
  exit(0);
}

##Check for vulnerable version
if(version_in_range(version:RubyonRailVer, test_version:"4.2.0", test_version2:"4.2.7.0"))
{
  report = report_fixed_ver(installed_version:RubyonRailVer, fixed_version:"4.2.7.1");
  security_message(data:report, port:RubyonRailPort);
  exit(0);
}

JSON Vulners Source

Initial Source

{"href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807378", "history": [{"lastseen": "2017-07-02T21:13:08", "differentElements": ["modified", "sourceData"], "edition": 1, "bulletin": {"href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807378", "history": [], "naslFamily": "Web application abuses", "id": "OPENVAS:1361412562310807378", "title": "Ruby on Rails Active Record SQL Injection Vulnerability (Linux)", "description": "This host is running Ruby on Rails and is\n prone to SQL injection vulnerability.", "published": "2016-10-13T00:00:00", "type": "openvas", "bulletinFamily": "scanner", "hashmap": [{"key": "description", "hash": "5a8b427c85fc28c29cc762052f43aa3d"}, {"key": "sourceData", "hash": "5f53274497eca880e417806017fc98d3"}, {"key": "modified", "hash": "7d0606d422b7f815cc8a157fb6d33530"}, {"key": "cvss", "hash": "26769fd423968d45be7383413e2552f1"}, {"key": "published", "hash": "bcd8abde7f060a8789d08ba0ba73d345"}, {"key": "pluginID", "hash": "c9c8d39315c77932a9b5173e23d4dcf3"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "href", "hash": "1f55505d74f3aaa5dd7068ab31cf6f62"}, {"key": "title", "hash": "a396c37e785aedd996daef45aca71fb5"}, {"key": "reporter", "hash": "ea106ff9c2727a6e906e8959871e7c06"}, {"key": "references", "hash": "2d1f501cf925df4b9ddcbbec739d6940"}, {"key": "cvelist", "hash": "5c2fb6abefa4b019bd1c0af856180f2b"}], "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ruby_on_rails_action_record_sql_inj_vuln_lin.nasl 5650 2017-03-21 10:00:45Z teissa $\n#\n# Ruby on Rails Active Record SQL Injection Vulnerability (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:rubyonrails:ruby_on_rails';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807378\");\n script_version(\"$Revision: 5650 $\");\n script_cve_id(\"CVE-2016-6317\");\n script_bugtraq_id(92434);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-21 11:00:45 +0100 (Tue, 21 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-13 14:29:38 +0530 (Thu, 13 Oct 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Ruby on Rails Active Record SQL Injection Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is running Ruby on Rails and is\n prone to SQL injection vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the installed version with the help\n of detect NVT and check the version is vulnerable or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to the way Active Record\n interprets parameters in combination with the way that JSON parameters are\n parsed, it is possible for an attacker to issue unexpected database queries\n with 'IS NULL' or empty where clauses.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attacker to bypass intended database-query restrictions and perform NULL checks\n or trigger missing WHERE clauses via a crafted request, as demonstrated by\n certain '[nil]' values.\n\n Impact Level: Application\");\n\n script_tag(name:\"affected\", value:\"Ruby on Rails 4.2.x before 4.2.7.1 on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Ruby on Rails 4.2.7.1 or later.\n For updates refer to http://rubyonrails.org\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"http://www.openwall.com/lists/oss-security/2016/08/11/4\");\n script_xref(name : \"URL\" , value : \"https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA\");\n script_xref(name : \"URL\" , value : \"http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_ruby_rails_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"RubyOnRails/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 3000);\n exit(0);\n}\n\n\n##\n### Code Starts Here\n##\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\n## Variable Initialization\nRubyonRailPort = \"\";\nRubyonRailVer = \"\";\n\n## exit, if its not Linux\nif(host_runs(\"Linux\") != \"yes\")exit(0);\n\n## Get HTTP Port\nif(!RubyonRailPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\n## Get the version\nif(!RubyonRailVer = get_app_version(cpe:CPE, port:RubyonRailPort)){\n exit(0);\n}\n\n##Check for vulnerable version\nif(version_in_range(version:RubyonRailVer, test_version:\"4.2.0\", test_version2:\"4.2.7.0\"))\n{\n report = report_fixed_ver(installed_version:RubyonRailVer, fixed_version:\"4.2.7.1\");\n security_message(data:report, port:RubyonRailPort);\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "pluginID": "1361412562310807378", "hash": "0d1803139b293038f78eec9bb7aee1ea7b5d864e052a0893fa8a481f9fd3b5fe", "modified": "2017-03-21T00:00:00", "edition": 1, "cvelist": ["CVE-2016-6317"], "lastseen": "2017-07-02T21:13:08", "viewCount": 0, "enchantments": {}, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "objectVersion": "1.3", "references": ["http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released", "http://www.openwall.com/lists/oss-security/2016/08/11/4", "https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA"]}}], "naslFamily": "Web application abuses", "id": "OPENVAS:1361412562310807378", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-10-13T00:00:00", "description": "This host is running Ruby on Rails and is\n prone to SQL injection vulnerability.", "title": "Ruby on Rails Active Record SQL Injection Vulnerability (Linux)", "bulletinFamily": "scanner", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ruby_on_rails_action_record_sql_inj_vuln_lin.nasl 7545 2017-10-24 11:45:30Z cfischer $\n#\n# Ruby on Rails Active Record SQL Injection Vulnerability (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:rubyonrails:ruby_on_rails';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807378\");\n script_version(\"$Revision: 7545 $\");\n script_cve_id(\"CVE-2016-6317\");\n script_bugtraq_id(92434);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:45:30 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-13 14:29:38 +0530 (Thu, 13 Oct 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Ruby on Rails Active Record SQL Injection Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is running Ruby on Rails and is\n prone to SQL injection vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the installed version with the help\n of detect NVT and check the version is vulnerable or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to the way Active Record\n interprets parameters in combination with the way that JSON parameters are\n parsed, it is possible for an attacker to issue unexpected database queries\n with 'IS NULL' or empty where clauses.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attacker to bypass intended database-query restrictions and perform NULL checks\n or trigger missing WHERE clauses via a crafted request, as demonstrated by\n certain '[nil]' values.\n\n Impact Level: Application\");\n\n script_tag(name:\"affected\", value:\"Ruby on Rails 4.2.x before 4.2.7.1 on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Ruby on Rails 4.2.7.1 or later.\n For updates refer to http://rubyonrails.org\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"http://www.openwall.com/lists/oss-security/2016/08/11/4\");\n script_xref(name : \"URL\" , value : \"https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA\");\n script_xref(name : \"URL\" , value : \"http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_ruby_rails_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"RubyOnRails/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 3000);\n exit(0);\n}\n\n\n##\n### Code Starts Here\n##\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\n## Variable Initialization\nRubyonRailPort = \"\";\nRubyonRailVer = \"\";\n\n## Get HTTP Port\nif(!RubyonRailPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\n## Get the version\nif(!RubyonRailVer = get_app_version(cpe:CPE, port:RubyonRailPort)){\n exit(0);\n}\n\n##Check for vulnerable version\nif(version_in_range(version:RubyonRailVer, test_version:\"4.2.0\", test_version2:\"4.2.7.0\"))\n{\n report = report_fixed_ver(installed_version:RubyonRailVer, fixed_version:\"4.2.7.1\");\n security_message(data:report, port:RubyonRailPort);\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "pluginID": "1361412562310807378", "hash": "8a44cc1b2a8d71709698157a31358e3eb33c0eff2baa8d178df7a6d016904213", "references": ["http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released", "http://www.openwall.com/lists/oss-security/2016/08/11/4", "https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA"], "edition": 2, "cvelist": ["CVE-2016-6317"], "lastseen": "2017-10-25T14:42:51", "viewCount": 1, "enchantments": {"vulnersScore": 7.5}, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "5c2fb6abefa4b019bd1c0af856180f2b"}, {"key": "cvss", "hash": "26769fd423968d45be7383413e2552f1"}, {"key": "description", "hash": "5a8b427c85fc28c29cc762052f43aa3d"}, {"key": "href", "hash": "1f55505d74f3aaa5dd7068ab31cf6f62"}, {"key": "modified", "hash": "c5bb34af05c207ad0795b24b339835fb"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "pluginID", "hash": "c9c8d39315c77932a9b5173e23d4dcf3"}, {"key": "published", "hash": "bcd8abde7f060a8789d08ba0ba73d345"}, {"key": "references", "hash": "2d1f501cf925df4b9ddcbbec739d6940"}, {"key": "reporter", "hash": "ea106ff9c2727a6e906e8959871e7c06"}, {"key": "sourceData", "hash": "42f59352167dc1dca0f7500bb165cf4c"}, {"key": "title", "hash": "a396c37e785aedd996daef45aca71fb5"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "objectVersion": "1.3", "modified": "2017-10-24T00:00:00"}

{"result": {"cve": [{"id": "CVE-2016-6317", "type": "cve", "title": "CVE-2016-6317", "description": "Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.", "published": "2016-09-07T15:28:11", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6317", "cvelist": ["CVE-2016-6317"], "lastseen": "2016-11-29T14:41:46"}], "openvas": [{"id": "OPENVAS:1361412562310807377", "type": "openvas", "title": "Ruby on Rails Active Record SQL Injection Vulnerability (Windows)", "description": "This host is running Ruby on Rails and is\n prone to SQL injection vulnerability.", "published": "2016-10-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807377", "cvelist": ["CVE-2016-6317"], "lastseen": "2017-10-25T14:42:40"}, {"id": "OPENVAS:1361412562310809163", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2016-b4919ffe56", "description": "Check the version of rubygem-activerecord", "published": "2016-08-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809163", "cvelist": ["CVE-2016-6317"], "lastseen": "2017-07-25T10:54:08"}, {"id": "OPENVAS:1361412562310809161", "type": "openvas", "title": "Fedora Update for rubygem-actionpack FEDORA-2016-f58d7ecc8a", "description": "Check the version of rubygem-actionpack", "published": "2016-08-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809161", "cvelist": ["CVE-2016-6317"], "lastseen": "2017-07-25T10:54:42"}, {"id": "OPENVAS:1361412562310809159", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2016-f58d7ecc8a", "description": "Check the version of rubygem-activerecord", "published": "2016-08-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809159", "cvelist": ["CVE-2016-6317"], "lastseen": "2017-07-25T10:55:14"}, {"id": "OPENVAS:1361412562310809167", "type": "openvas", "title": "Fedora Update for rubygem-actionpack FEDORA-2016-b4919ffe56", "description": "Check the version of rubygem-actionpack", "published": "2016-08-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809167", "cvelist": ["CVE-2016-6317"], "lastseen": "2017-07-25T10:54:54"}, {"id": "OPENVAS:1361412562310871937", "type": "openvas", "title": "Fedora Update for rubygem-railties FEDORA-2016-5760339e76", "description": "Check the version of rubygem-railties", "published": "2016-12-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871937", "cvelist": ["CVE-2016-6317", "CVE-2016-6316"], "lastseen": "2017-07-25T10:54:33"}, {"id": "OPENVAS:1361412562310872011", "type": "openvas", "title": "Fedora Update for rubygem-actioncable FEDORA-2016-5760339e76", "description": "Check the version of rubygem-actioncable", "published": "2016-12-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872011", "cvelist": ["CVE-2016-6317", "CVE-2016-6316"], "lastseen": "2017-07-25T10:54:56"}, {"id": "OPENVAS:1361412562310871890", "type": "openvas", "title": "Fedora Update for rubygem-rails FEDORA-2016-5760339e76", "description": "Check the version of rubygem-rails", "published": "2016-12-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871890", "cvelist": ["CVE-2016-6317", "CVE-2016-6316"], "lastseen": "2017-07-25T10:54:25"}, {"id": "OPENVAS:1361412562310872008", "type": "openvas", "title": "Fedora Update for rubygem-activejob FEDORA-2016-5760339e76", "description": "Check the version of rubygem-activejob", "published": "2016-12-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872008", "cvelist": ["CVE-2016-6317", "CVE-2016-6316"], "lastseen": "2017-07-25T10:53:59"}, {"id": "OPENVAS:1361412562310872094", "type": "openvas", "title": "Fedora Update for rubygem-actionpack FEDORA-2016-5760339e76", "description": "Check the version of rubygem-actionpack", "published": "2016-12-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872094", "cvelist": ["CVE-2016-6317", "CVE-2016-6316"], "lastseen": "2017-07-25T10:54:35"}], "nessus": [{"id": "FREEBSD_PKG_7E61CF44654911E6828600248C0C745D.NASL", "type": "nessus", "title": "FreeBSD : Rails 4 -- Unsafe Query Generation Risk in Active Record (7e61cf44-6549-11e6-8286-00248c0c745d)", "description": "Ruby Security team reports :\n\nThere is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. This vulnerability has been assigned the CVE identifier CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155.", "published": "2016-10-17T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=94082", "cvelist": ["CVE-2016-6317"], "lastseen": "2017-10-29T13:39:19"}, {"id": "FEDORA_2016-F58D7ECC8A.NASL", "type": "nessus", "title": "Fedora 23 : 1:rubygem-actionpack / 1:rubygem-activerecord (2016-f58d7ecc8a)", "description": "- Fix for CVE-2016-6317 (rhbz#1366479)\n\n - Fix argument error for instance_exec for Ruby 2.3 compatibility (Only rubygem-activerecord f24)\n\n - Improve tests not to accept the failures (Only rubygem-activerecord)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-08-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=93209", "cvelist": ["CVE-2016-6317"], "lastseen": "2017-10-29T13:34:12"}, {"id": "FEDORA_2016-B4919FFE56.NASL", "type": "nessus", "title": "Fedora 24 : 1:rubygem-actionpack / 1:rubygem-activerecord (2016-b4919ffe56)", "description": "- Fix for CVE-2016-6317 (rhbz#1366479)\n\n - Fix argument error for instance_exec for Ruby 2.3 compatibility (Only rubygem-activerecord f24)\n\n - Improve tests not to accept the failures (Only rubygem-activerecord)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-08-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=93207", "cvelist": ["CVE-2016-6317"], "lastseen": "2017-10-29T13:36:28"}, {"id": "FEDORA_2016-5760339E76.NASL", "type": "nessus", "title": "Fedora 25 : 1:rubygem-actionmailer / 1:rubygem-actionpack / etc (2016-5760339e76)", "description": "Update to Rails 5.0.0.1.\n\nEnable whole test suite in Railties.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-11-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=94808", "cvelist": ["CVE-2016-6317", "CVE-2016-6316"], "lastseen": "2017-10-29T13:44:26"}], "freebsd": [{"id": "7E61CF44-6549-11E6-8286-00248C0C745D", "type": "freebsd", "title": "Rails 4 -- Unsafe Query Generation Risk in Active Record", "description": "\nRuby Security team reports:\n\nThere is a vulnerability when Active Record is used in conjunction with JSON\nparameter parsing. This vulnerability has been assigned the CVE identifier\nCVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694\nand CVE-2013-0155.\n\n", "published": "2016-08-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vuxml.freebsd.org/freebsd/7e61cf44-6549-11e6-8286-00248c0c745d.html", "cvelist": ["CVE-2016-6317"], "lastseen": "2016-10-14T13:22:35"}], "redhat": [{"id": "RHSA-2016:1855", "type": "redhat", "title": "(RHSA-2016:1855) Moderate: rh-ror42 security update", "description": "Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action View implements the view component, and Active Record implements the model component.\n\nSecurity Fix(es) in rubygem-actionview:\n\n* It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316)\n\nSecurity Fix(es) in rubygem-activerecord:\n\n* A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application. (CVE-2016-6317)\n\nRed Hat would like to thank the Ruby on Rails project for reporting these issues. Upstream acknowledges Andrew Carpenter (Critical Juncture) as the original reporter of CVE-2016-6316; and joernchen (Phenoelit) as the original reporter of CVE-2016-6317.", "published": "2016-09-13T13:49:49", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2016:1855", "cvelist": ["CVE-2016-6316", "CVE-2016-6317"], "lastseen": "2018-04-23T08:34:18"}], "hackerone": [{"id": "H1:139321", "type": "hackerone", "title": "Ruby on Rails: Unsafe Query Generation (CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155) mitigation bypass", "description": "# Unsafe Query Generation Risk in Active Record \n\nThere is a vulnerability when Active Record is used in conjunction with JSON \nparameter parsing. This vulnerability has been assigned the CVE identifier \nCVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694 \nand CVE-2013-0155. \n\nVersions Affected: >= 4.2.0 \nNot affected: < 4.2.0, >= 5.0.0 \nFixed Versions: 4.2.7.1 \n\nImpact \n------ \n\nDue to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with \"IS NULL\" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it. \n\nFor example, a system has password reset with token functionality: \n\n unless params[:token].nil? \n user = User.find_by_token(params[:token]) \n user.reset_password! \n end \n\nAn attacker can craft a request such that `params[:token]` will return `[nil]`. The `[nil]` value will bypass the test for nil, but will still add an \"IN ('xyz', NULL)\" clause to the SQL query. \n\nSimilarly, an attacker can craft a request such that `params[:token]` will return an empty hash. An empty hash will eliminate the WHERE clause of the query, but can bypass the `nil?` check. \n\nNote that this impacts not only dynamic finders (`find_by_*`) but also relations (`User.where(:name => params[:name])`). \n\nAll users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155. Even if you upgraded to address those issues, you must take action again. \n\nIf this chance in behavior impacts your application, you can manually decode the original values from the request like so: \n\n ActiveSupport::JSON.decode(request.body) \n\nReleases \n-------- \nThe FIXED releases are available at the normal locations. \n\nWorkarounds \n----------- \nThis problem can be mitigated by casting the parameter to a string before passing it to Active Record. For example: \n\n unless params[:token].nil? || params[:token].to_s.empty? \n user = User.find_by_token(params[:token].to_s) \n user.reset_password! \n end \n\n\nPatches \n------- \nTo aid users who aren't able to upgrade immediately we have provided patches for \nthe two supported release series. They are in git-am format and consist of a \nsingle changeset. \n\n* 4-2-unsafe-query-generation.patch - Patch for 4.2 series \n\nPlease note that only the 5.0.x and 4.2.x series are supported at present. Users \nof earlier unsupported releases are advised to upgrade as soon as possible as we \ncannot guarantee the continued availability of security fixes for unsupported \nreleases. \n\nCredits \n------- \n\nThanks to joernchen of Phenoelit for reporting this!", "published": "2016-05-17T13:38:03", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://hackerone.com/reports/139321", "cvelist": ["CVE-2016-6317", "CVE-2012-2660", "CVE-2012-2694", "CVE-2013-0155"], "lastseen": "2018-04-19T17:34:11"}]}}