CVE-2012-2695SQL Injection in Project Activerecord

CWE-89SQL Injection10 documents6 sources
Severity
7.5HIGHNVD
CNA5.0GHSA5.0OSV5.0
EPSS
0.6%
top 29.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Activerecord Project ActiverecordRubyonrails Ruby ON RailsRubyonrails Rails
Timeline
PublishedJun 22
Latest updateOct 24

Description

The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

RubyGemsactiverecord_project/activerecord3.0.0.beta3.0.14+3
NVDrubyonrails/rails26 versions+25

🔴Vulnerability Details

4
GHSA
activerecord vulnerable to SQL Injection2017-10-24
OSV
activerecord vulnerable to SQL Injection2017-10-24
GHSA
Active Record vulnerable to SQL Injection via nested query parameters2017-10-24
CVEList
CVE-2012-2695: The Active Record component in Ruby on Rails before 32012-06-22

📋Vendor Advisories

2
Red Hat
rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)2012-06-12
Red Hat
rubygem-activerecord: SQL injection when processing nested query paramaters2012-05-31

💬Community

3
Bugzilla
CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)2012-06-13
Bugzilla
CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661) [fedora-all]2012-06-13
Bugzilla
CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661) [epel-5]2012-06-13
CVE-2012-2695 — SQL Injection in Project Activerecord | cvebase