Active Record contains SQL Injection

GHSA-gh2w-j7cx-2664 · CVE-2012-6496

Published Oct 24, 2017 · Modified Jan 21, 2025

Description

SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2012-6496
WEB https://github.com/rails/rails/commit/9de9b359d0d24f70f0f6c5c58a7ad8750684d456
WEB https://bugzilla.redhat.com/show_bug.cgi?id=889649
PACKAGE https://github.com/rails/rails
WEB https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain
WEB http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
WEB http://rhn.redhat.com/errata/RHSA-2013-0154.html
WEB http://rhn.redhat.com/errata/RHSA-2013-0220.html
WEB http://rhn.redhat.com/errata/RHSA-2013-0544.html
WEB http://security.gentoo.org/glsa/glsa-201401-22.xml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes