Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

Update to Rails 5.0.0.1.

Enable whole test suite in Railties.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ruby Security team reports :

There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. This vulnerability has been assigned the CVE identifier CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155.

- Fix for CVE-2016-6317 (rhbz#1366479)

  - Fix argument error for instance_exec for Ruby 2.3     compatibility (Only rubygem-activerecord f24)

  - Improve tests not to accept the failures (Only     rubygem-activerecord)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
94808	Fedora 25 : 1:rubygem-actionmailer / 1:rubygem-actionpack / etc (2016-5760339e76)	Nessus	Fedora Local Security Checks	high
94082	FreeBSD : Rails 4 -- Unsafe Query Generation Risk in Active Record (7e61cf44-6549-11e6-8286-00248c0c745d)	Nessus	FreeBSD Local Security Checks	high
93209	Fedora 23 : 1:rubygem-actionpack / 1:rubygem-activerecord (2016-f58d7ecc8a)	Nessus	Fedora Local Security Checks	high
93207	Fedora 24 : 1:rubygem-actionpack / 1:rubygem-activerecord (2016-b4919ffe56)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2016-6317

high

Tenable Plugins

high

high

high

high