Ruby on Rails team reports:
There is a SQL injection vulnerability in Active Record in ALL
versions. Due to the way dynamic finders in Active Record extract
options from method parameters, a method parameter can mistakenly
be used as a scope. Carefully crafted requests can use the scope
to inject arbitrary SQL.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | rubygem-rails | < 3.2.10 | UNKNOWN |