6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
72.8%
The prior fix to CVE-2013-0155 was incomplete and the use of common
3rd party libraries can accidentally circumvent the protection. Due
to the way that Rack::Request and Rails::Request interact, it is
possible for a 3rd party or custom rack middleware to parse the
parameters insecurely and store them in the same key that Rails uses
for its own parameters. In the event that happens the application
will receive unsafe parameters and could be vulnerable to the earlier
vulnerability.
CPE | Name | Operator | Version |
---|---|---|---|
actionpack | le | 3.2.15 | |
actionpack | ge | 3.3.0 | |
actionpack | lt | 4.0.2 |