CVE-2012-2661 — SQL Injection in Project Activerecord
Severity
5.0MEDIUMNVD
GHSA7.5OSV7.5
EPSS
0.7%
top 27.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedJun 22
Latest updateOct 24
Description
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
CVSS vector
AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9
Affected Packages3 packages
🔴Vulnerability Details
4📋Vendor Advisories
3💬Community
5Bugzilla▶
CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)↗2012-06-13
Bugzilla▶
CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661) [fedora-all]↗2012-06-13
Bugzilla▶
CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661) [epel-5]↗2012-06-13
Bugzilla▶
CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested query paramaters↗2012-06-01
Bugzilla▶
CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested query paramaters [fedora-all]↗2012-06-01