Sha256: 185521aeb5bff03478e4a722b3b526522acd7eca6e56088f08f80a4b097af72a

Contents?: true

Size: 808 Bytes

Versions: 6

Compression:

Stored size: 808 Bytes

Contents

---
gem: actionpack
framework: rails
cve: 2013-6417
osvdb: 100527
url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
date: 2013-12-03

description: |
  The prior fix to CVE-2013-0155 was incomplete and the use of common
  3rd party libraries can accidentally circumvent the protection. Due
  to the way that Rack::Request and Rails::Request interact, it is
  possible for a 3rd party or custom rack middleware to parse the
  parameters insecurely and store them in the same key that Rails uses
  for its own parameters.  In the event that happens the application
  will receive unsafe parameters and could be vulnerable to the earlier
  vulnerability.

cvss_v2: 6.4

patched_versions:
  - ~> 3.2.16
  - ">= 4.0.2"

Version data entries

6 entries across 6 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml
bundler-audit-0.6.1 data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml
bundler-audit-0.6.0 data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml
bundler-audit-0.5.0 data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml