CVE

Id
93137  
CVE No.
CVE-2016-6317  
Status
Candidate  
Description
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.  
Phase
Assigned (20160726)  
Votes
None (candidate not yet proposed)  
Comments
 

Actions

Related CVE References

Id CVE Id CVE No. Reference Actions
792846 93137 CVE-2016-6317 MLIST:[oss-security] 20160811 [CVE-2016-6317] Unsafe Query Generation Risk in Active Record  View
792847 93137 CVE-2016-6317 URL:http://www.openwall.com/lists/oss-security/2016/08/11/4  View
792848 93137 CVE-2016-6317 MLIST:[ruby-security-ann] 20160811 [CVE-2016-6317] Unsafe Query Generation Risk in Active Record  View
792849 93137 CVE-2016-6317 URL:https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA  View
792850 93137 CVE-2016-6317 CONFIRM:http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/  View
792851 93137 CVE-2016-6317 REDHAT:RHSA-2016:1855  View
792852 93137 CVE-2016-6317 URL:http://rhn.redhat.com/errata/RHSA-2016-1855.html  View
792853 93137 CVE-2016-6317 BID:92434  View

Related JVN

Id JVN No. Title Summary CVE No. CVE Id CVSS_v2 CVSS_v3 JVN URL Actions
5493 JVNDB-2016-006266 phpMyAdmin におけるサービス運用妨害 (DoS) の脆弱性 phpMyAdmin には、サービス運用妨害 (DoS) 状態にされる脆弱性が存在します。 CVE-2016-6630 93137 4 6.5 http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-006266.html  View