CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2016-6317

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.004

EPSS Ranking 57.1%

CVSS Severity

CVSS v3 Score 7.5

CVSS v2 Score 5.0

References

Products affected by CVE-2016-6317

Rubyonrails » Rails » Version: 4.2.0

cpe:2.3:a:rubyonrails:rails:4.2.0
Rubyonrails » Rails » Version: 4.2.1

cpe:2.3:a:rubyonrails:rails:4.2.1
Rubyonrails » Rails » Version: 4.2.2

cpe:2.3:a:rubyonrails:rails:4.2.2
Rubyonrails » Rails » Version: 4.2.3

cpe:2.3:a:rubyonrails:rails:4.2.3
Rubyonrails » Rails » Version: 4.2.4

cpe:2.3:a:rubyonrails:rails:4.2.4
Rubyonrails » Rails » Version: 4.2.5

cpe:2.3:a:rubyonrails:rails:4.2.5
Rubyonrails » Rails » Version: 4.2.5.1

cpe:2.3:a:rubyonrails:rails:4.2.5.1
Rubyonrails » Rails » Version: 4.2.5.2

cpe:2.3:a:rubyonrails:rails:4.2.5.2
Rubyonrails » Rails » Version: 4.2.6

cpe:2.3:a:rubyonrails:rails:4.2.6
Rubyonrails » Rails » Version: 4.2.7

cpe:2.3:a:rubyonrails:rails:4.2.7

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2016-6317

Products

Pricing

Contact Us