CVE-2013-6417 (Improper consideration of differences in parameter handling between Rack and Rails Requests)

  • Posted December 26, 2013

  • Assessed Risk Level: Medium

Differences in parameter handling between Rack and Rails requests allow remote attackers to bypass database query restrictions and perform NULL checks or trigger missing WHERE clauses via requests using third-party or custom Rack middleware.

Status

  • Affected Versions: Puppet Enterprise 2.x, 3.x
  • Resolved in Puppet Enterprise 2.8.4 and 3.1.1
  • Note: This vulnerability was due to an incomplete fix for CVE-2013-0155.
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.