CVE-2013-6417

Name	CVE-2013-6417
Description	actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2888-1
Debian Bugs	731288, 731290

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
rails (PTS)	buster	2:5.2.2.1+dfsg-1+deb10u3	fixed
	buster (security)	2:5.2.2.1+dfsg-1+deb10u5	fixed
	bullseye (security), bullseye	2:6.0.3.7+dfsg-2+deb11u2	fixed
	bookworm	2:6.1.7.3+dfsg-1	fixed
	sid, trixie	2:6.1.7.3+dfsg-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
rails	source	(unstable)	(not affected)
rails-3.2	source	(unstable)	3.2.16-3+0
rails-4.0	source	(unstable)	4.0.2+dfsg-1		731290
ruby-actionpack-2.3	source	(unstable)	(not affected)
ruby-actionpack-3.2	source	wheezy	3.2.6-6+deb7u1	DSA-2888-1
ruby-actionpack-3.2	source	(unstable)	3.2.16-1		731288

Notes

- ruby-actionpack-2.3 <not-affected> (vulnerable code not present)
- rails <not-affected> (vulnerable code not present)
Starting with 2.3.14.1 rails is a transition package
CVE for incomplete fix for CVE-2013-0155