CVE-2013-6417

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 3.2.16 Ruby on Rails versions 4.x prior to 4.0.2

Description The issue arises from improper consideration of differences in parameter handling between the Active Record component and the JSON implementation in actionpack/lib/action dispatch/http/request.rb. This allows remote attackers to bypass intended database-query restrictions, perform NULL checks, or trigger missing WHERE clauses via a crafted request. The request can leverage third-party Rack middleware or custom Rack middleware to exploit this issue.

Recommendations For Ruby on Rails versions prior to 3.2.16, update to version 3.2.16 or later. For Ruby on Rails versions 4.x prior to 4.0.2, update to version 4.0.2 or later. As a temporary workaround, consider restricting access to custom Rack middleware and third-party Rack middleware until a patch is applied.