6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.007 Low
EPSS
Percentile
80.5%
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before
3.2.16 and 4.x before 4.0.2 does not properly consider differences in
parameter handling between the Active Record component and the JSON
implementation, which allows remote attackers to bypass intended
database-query restrictions and perform NULL checks or trigger missing
WHERE clauses via a crafted request that leverages (1) third-party Rack
middleware or (2) custom Rack middleware. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2013-0155.
Author | Note |
---|---|
mdeslaur | in Oneiric+, rails package is just for transition |