UBUNTU-CVE-2013-6417

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2013-6417

Published: 07 Dec 2013, 00:55

Last modified:16 Jul 2025, 08:10

Vulnerability Summary

Overall Risk (default)

minimal

0/100

CVSS Score

No data

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

07 Dec 2013, 00:55

Published

Vulnerability first disclosed

16 Jul 2025, 08:10

Last Modified

Vulnerability information updated

Description

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

Affected Systems

ubuntu•ruby-actionpack-3.2
< 3.2.16-3

UBUNTU-CVE-2013-6417

Vulnerability Summary

Timeline

Description

Affected Systems

References (3)