VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-nf8s-2aaa-17fw

Essentials
Severities (27)
References (30)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-nf8s-2aaa-17fw
Aliases	CVE-2013-6417 GHSA-wpw7-wxjm-cw8r OSV-100527
Summary	Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) Due to the way that `Rack::Request` and `Rails::Request` interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries with `IS NULL` or empty where clauses.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-264	Permissions, Privileges, and Access Controls
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-284	Improper Access Control
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

System	Score	Found at
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
generic_textual	MODERATE	http://rhn.redhat.com/errata/RHSA-2013-1794.html
generic_textual	MODERATE	http://rhn.redhat.com/errata/RHSA-2014-0008.html
generic_textual	MODERATE	http://rhn.redhat.com/errata/RHSA-2014-0469.html
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
epss	0.00512	https://api.first.org/data/v1/epss?cve=CVE-2013-6417
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-wpw7-wxjm-cw8r
generic_textual	MODERATE	https://github.com/rails/rails
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6417.yml
generic_textual	MODERATE	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ
generic_textual	MODERATE	https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2013-6417
generic_textual	MODERATE	https://puppet.com/security/cve/cve-2013-6417
generic_textual	MODERATE	https://web.archive.org/web/20160806051251/https://puppet.com/security/cve/cve-2013-6417
generic_textual	MODERATE	http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
generic_textual	MODERATE	http://www.debian.org/security/2014/dsa-2888

Reference id	Reference type	URL
		http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
		http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
		http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
		http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
		http://rhn.redhat.com/errata/RHSA-2013-1794.html
		http://rhn.redhat.com/errata/RHSA-2014-0008.html
		http://rhn.redhat.com/errata/RHSA-2014-0469.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6417.json
		https://api.first.org/data/v1/epss?cve=CVE-2013-6417
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
		http://seclists.org/oss-sec/2013/q4/403
		https://github.com/rails/rails
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6417.yml
		https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ
		https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
		https://nvd.nist.gov/vuln/detail/CVE-2013-6417
		https://puppet.com/security/cve/cve-2013-6417
		https://web.archive.org/web/20160806051251/https://puppet.com/security/cve/cve-2013-6417
		http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
		http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
		http://www.debian.org/security/2014/dsa-2888
1036409		https://bugzilla.redhat.com/show_bug.cgi?id=1036409
GHSA-wpw7-wxjm-cw8r		https://github.com/advisories/GHSA-wpw7-wxjm-cw8r
RHSA-2013:1794		https://access.redhat.com/errata/RHSA-2013:1794
RHSA-2014:0008		https://access.redhat.com/errata/RHSA-2014:0008
RHSA-2014:0469		https://access.redhat.com/errata/RHSA-2014:0469

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.66402
EPSS Score	0.00512
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:46:50.749976+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack/CVE-2013-6417.yml	38.0.0