Description

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

Remediation

References

CVE-2016-6317

Related Vulnerabilities

Joomla! Core Security Bypass (2.5.0 - 3.8.7)

Oracle Database Server CVE-2014-6541 Vulnerability (CVE-2014-6541)

Joomla! Core 1.0.x Multiple Vulnerabilities (1.0.0 - 1.0.9)

WordPress Plugin WooCommerce Unspecified Vulnerability (3.9.1)

axios Improper Input Validation Vulnerability (CVE-2019-10742)

Severity

High

Classification

CVE-2016-6317 CWE-284 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities