CVE-2013-6417 (Improper consideration of differences in parameter handling between Rack and Rails Requests)
Posted December 26, 2013
Assessed Risk Level: Medium
Differences in parameter handling between Rack and Rails requests allow remote attackers to bypass database query restrictions and perform NULL checks or trigger missing WHERE clauses via requests using third-party or custom Rack middleware.
- Affected Versions: Puppet Enterprise 2.x, 3.x
- Resolved in Puppet Enterprise 2.8.4 and 3.1.1
- Note: This vulnerability was due to an incomplete fix for CVE-2013-0155.