Unsafe Query Generation Risk Affecting actionpack package, versions < 4.0.2, >= 3.3 < 3.2.16
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-ACTIONPACK-20125
- published 2 Dec 2013
- disclosed 2 Dec 2013
- credit Sudhir Rao
Introduced: 2 Dec 2013
CVE-2013-6417 Open this link in a new tabOverview
actionpack is a web app builder and tester on Rails.
Affected versions of this Gem are vulnerable to Unsafe Query Generation Risk.
The prior fix to CVE-2013-0155 was incomplete, and some 3rd party libraries can accidentally circumvent the protection.
Details
It is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. This is due to the way that Rack::Request and Rails::Request interact.
If this happens, the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability.