Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-6317

A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application.

Source

A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application.

Find out more about CVE-2016-6317 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score	4.3
Base Metrics	AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector	Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	None
Integrity Impact	Partial
Availability Impact	None

CVSS v3 metrics

CVSS3 Base Score	5.3
CVSS3 Base Metrics	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality	None
Integrity Impact	Low
Availability Impact	None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform	Errata	Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ror42-rubygem-activerecord)	RHSA-2016:1855	2016-09-13

Affected Packages State

Platform	Package	State
Red Hat Subscription Asset Manager 1	ruby193-rubygem-activerecord	Not affected
Red Hat Subscription Asset Manager 1	rubygem-activerecord	Not affected
Red Hat Software Collections for Red Hat Enterprise Linux	ror40-rubygem-activerecord	Not affected
Red Hat Software Collections for Red Hat Enterprise Linux	rh-ror41-rubygem-activerecord	Not affected
Red Hat Software Collections for Red Hat Enterprise Linux	ruby193-rubygem-activerecord	Not affected

Acknowledgements

Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges joernchen (Phenoelit) as the original reporter.

External References

https://groups.google.com/forum/#!msg/rubyonrails-security/rgO20zYW33s/gmamLa-wDAAJ

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2016-6317

CVSS v2 metrics

CVSS v3 metrics

Red Hat Security Errata

Affected Packages State

Acknowledgements

External References

Vulmon Search

About

Products

Connect