Overview

CVE-2013-6417 (Improper consideration of differences in parameter handling between Rack and Rails Requests)

  • Posted December 26, 2013

  • Assessed Risk Level: Medium

Differences in parameter handling between Rack and Rails requests allow remote attackers to bypass database query restrictions and perform NULL checks or trigger missing WHERE clauses via requests using third-party or custom Rack middleware.

Status

  • Affected Versions: Puppet Enterprise 2.x, 3.x
  • Resolved in Puppet Enterprise 2.8.4 and 3.1.1
  • Note: This vulnerability was due to an incomplete fix for CVE-2013-0155.