CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
75.2%
SQL injection vulnerability in the Active Record component in Ruby on Rails
before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote
attackers to execute arbitrary SQL commands via a crafted request that
leverages incorrect behavior of dynamic finders in applications that can
use unexpected data types in certain find_by_ method calls.
Author | Note |
---|---|
mdeslaur | in Oneiric+, rails package is just for transition |
seth-arnold | The authlogic gem was frequently cited as the problem in early reports, but the problem is with core Active Record. authlogic was just one vector known to allow exploiting the problem. CVE-2012-5664 was rejected as a result of the confusion. |
blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
www.openwall.com/lists/oss-security/2013/01/03/12
www.openwall.com/lists/oss-security/2013/01/03/5
groups.google.com/forum/#!topic/rubyonrails-security/DCNTNp_qjFM
launchpad.net/bugs/cve/CVE-2012-6496
nvd.nist.gov/vuln/detail/CVE-2012-6496
security-tracker.debian.org/tracker/CVE-2012-6496
www.cve.org/CVERecord?id=CVE-2012-6496