Main Vulnerability Database SB2014042103

SB2014042103 - Permissions, Privileges, and Access Controls in ruby-actionmailer (Alpine package)

Published: April 21, 2014

Security Bulletin ID SB2014042103

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-6417)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=fd539db871c05c91f0470acd3ff9821c841ff8e9