Permissions, Privileges, and Access Controls in Rails Action Mailer for Ruby on Rails
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2013-6417 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Action Mailer Universal components / Libraries / Programming Languages & Components |
| Vendor | Rails |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU32545
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-6417
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
MitigationInstall update from vendor's website.
Vulnerable software versionsAction Mailer: 3.2.0 - 4.0.1
CPE2.3- cpe:2.3:a:rails:actionmailer:3.2.0:*:*:*:*:ruby_on_rails:*:*
- cpe:2.3:a:rails:actionmailer:3.2.1:*:*:*:*:ruby_on_rails:*:*
- cpe:2.3:a:rails:actionmailer:3.2.2:*:*:*:*:ruby_on_rails:*:*
https://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
https://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
https://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
https://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
https://rhn.redhat.com/errata/RHSA-2013-1794.html
https://rhn.redhat.com/errata/RHSA-2014-0008.html
https://rhn.redhat.com/errata/RHSA-2014-0469.html
https://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
https://www.debian.org/security/2014/dsa-2888
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ
https://puppet.com/security/cve/cve-2013-6417
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
