#VU8576 Security restrictions bypass in Ruby on Rails - CVE-2016-6317

Cybersecurity Help s.r.o.

Published: 2016-09-14 | Updated: 2017-09-22

Vulnerability identifier: #VU8576

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-6317

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ruby on Rails
Universal components / Libraries / Scripting languages

Vendor: Rails

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values.

Mitigation
Update to version 4.2.7.1.

Vulnerable software versions

Ruby on Rails: 4.2.0 rc1 - 4.2.7

External links
https://09513209197612856111.googlegroups.com/attach/aa8540dec3af4/4-2-unsafe-query-generation.patch...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 23 update for rubygem-actionpack, rubygem-activerecord

Fedora 24 update for rubygem-actionpack, rubygem-activerecord

Fedora 25 update for rubygem-actioncable, rubygem-actionmailer, rubygem-actionpack, rubygem-actionview, rubygem-activejob, rubygem-activemodel, rubygem-activerecord, rubygem-activesupport, rubygem-rails, rubygem-railties

Secuirty restrictions bypass in Ruby on Rails