SB2016081903 - Fedora 23 update for rubygem-actionpack, rubygem-activerecord
Published: August 19, 2016 Updated: April 24, 2025
Security Bulletin ID
SB2016081903
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Security restrictions bypass (CVE-ID: CVE-2016-6317)
The vulnerability allows a remote attacker to bypass certain security restrictions.
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values.
Remediation
Install update from vendor's website.