CVE-2013-6417

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

Published: 2013-12-06 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2013-6417 is rated Moderate Risk (56/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.37%). Core evidence: EPSS rose +1.86% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2013-6417

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.51% 2.37% +1.86%
2 2025-06-05 0.67% 0.51% -0.15%
3 2025-03-30 0.67%

Full EPSS history (9 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2013-6417

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.4 2.0 MEDIUM
AV:N/AC:L/Au:N/C:P/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
10.0 4.9 [email protected]

Weakness enumeration for CVE-2013-6417

GitHub Security Advisory for CVE-2013-6417

GHSA-wpw7-wxjm-cw8r · Severity: medium · Ecosystem: rubygems — actionpack allows bypass of database-query restrictions

OS Trackers for CVE-2013-6417

vendor priority summary link
debian unimportant CVE-2013-6417 unimportant priority: Debian including 1 source packages (rails), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2013-6417
redhat high https://access.redhat.com/security/cve/CVE-2013-6417
ubuntu medium CVE-2013-6417 medium priority: Ubuntu including 9 source packages (rails, ruby-actionpack-2.3, …), 135 status rows across 15 suites (artful, bionic, lucid, precise, quantal, raring, saucy, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): DNE 85, not-affected 32, ignored 16, released 2. https://ubuntu.com/security/CVE-2013-6417

Affected software / configurations for CVE-2013-6417

Vendor Product Version Raw CPE
rubyonrails rails 3.0.0 cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
rubyonrails rails 3.0.0 cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
rubyonrails rails 3.0.0 cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
rubyonrails rails 3.0.0 cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
rubyonrails rails 3.0.0 cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
rubyonrails rails 3.0.0 cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
rubyonrails rails 3.0.0 cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
rubyonrails rails 3.0.1 cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
rubyonrails rails 3.0.1 cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
rubyonrails rails 3.0.2 cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
rubyonrails rails 3.0.2 cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
rubyonrails rails 3.0.3 cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
rubyonrails rails 3.0.4 cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
rubyonrails rails 3.0.5 cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*
rubyonrails rails 3.0.5 cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*
rubyonrails rails 3.0.6 cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*
rubyonrails rails 3.0.6 cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*
rubyonrails rails 3.0.6 cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*
rubyonrails rails 3.0.7 cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*
rubyonrails rails 3.0.7 cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*
rubyonrails rails 3.0.7 cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*
rubyonrails rails 3.0.8 cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*
rubyonrails rails 3.0.8 cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*
rubyonrails rails 3.0.8 cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*
rubyonrails rails 3.0.8 cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*
rubyonrails rails 3.0.8 cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*
rubyonrails rails 3.0.9 cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*
rubyonrails rails 3.0.9 cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*
rubyonrails rails 3.0.9 cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*
rubyonrails rails 3.0.9 cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*
rubyonrails rails 3.0.9 cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*
rubyonrails rails 3.0.9 cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*
rubyonrails rails 3.0.10 cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*
rubyonrails rails 3.0.10 cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*
rubyonrails rails 3.0.11 cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*
rubyonrails rails 3.0.12 cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*
rubyonrails rails 3.0.12 cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*
rubyonrails rails 3.0.13 cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*
rubyonrails rails 3.0.13 cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*
rubyonrails rails 3.0.14 cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*
rubyonrails rails 3.0.16 cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*
rubyonrails rails 3.0.17 cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*
rubyonrails rails 3.0.18 cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*
rubyonrails rails 3.0.19 cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*
rubyonrails rails 3.0.20 cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*
rubyonrails rails 3.1.0 cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*
rubyonrails rails 3.1.1 cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*
rubyonrails rails 3.1.1 cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*
rubyonrails rails 3.1.1 cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*
rubyonrails rails 3.1.1 cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*
rubyonrails rails 3.1.2 cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*
rubyonrails rails 3.1.2 cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*
rubyonrails rails 3.1.2 cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*
rubyonrails rails 3.1.3 cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*
rubyonrails rails 3.1.4 cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*
rubyonrails rails 3.1.4 cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*
rubyonrails rails 3.1.5 cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*
rubyonrails rails 3.1.5 cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*
rubyonrails rails 3.1.6 cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*
rubyonrails rails 3.1.7 cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*
rubyonrails rails 3.1.8 cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*
rubyonrails rails 3.1.9 cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*
rubyonrails rails 3.1.10 cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*
rubyonrails rails 3.2.0 cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*
rubyonrails rails 3.2.0 cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*
rubyonrails rails 3.2.0 cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*
rubyonrails rails 3.2.1 cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*
rubyonrails rails 3.2.2 cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*
rubyonrails rails 3.2.2 cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*
rubyonrails rails 3.2.3 cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*
rubyonrails rails 3.2.3 cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*

References for CVE-2013-6417

cvelogic Threat Intelligence