CVE-2012-6496SQL Injection in Ruby ON Rails

CWE-89SQL InjectionCWE-200Sensitive Information Exposure12 documents7 sources
Severity
7.5HIGHNVD
EPSS
1.0%
top 22.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rubyonrails RailsActiverecord Project ActiverecordRubyonrails Ruby ON Rails
Timeline
PublishedJan 4
Latest updateMay 14

Description

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

RubyGemsactiverecord_project/activerecord3.0.0.beta3.0.18+3
Debianrubyonrails/rails< 2.3.14.1+3
NVDrubyonrails/rails35 versions+34

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

5
GHSA
Authlogic Information Exposure vulnerability2022-05-14
OSV
Active Record contains SQL Injection2017-10-24
GHSA
Active Record contains SQL Injection2017-10-24
CVEList
CVE-2012-6496: SQL injection vulnerability in the Active Record component in Ruby on Rails before 32013-01-04
OSV
CVE-2012-6496: SQL injection vulnerability in the Active Record component in Ruby on Rails before 32013-01-04

📋Vendor Advisories

2
Red Hat
rubygem-activerecord: find_by_* SQL Injection2012-12-21
Debian
CVE-2012-6496: rails - SQL injection vulnerability in the Active Record component in Ruby on Rails befo...2012

💬Community

4
Bugzilla
CVE-2012-6497 rubygem-authlogic: potential unsafe find_by_id method calls2013-01-04
Bugzilla
CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection [fedora-all]2013-01-03
Bugzilla
CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection [epel-5]2013-01-03
Bugzilla
CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection2012-12-22
CVE-2012-6496 — SQL Injection in Ruby ON Rails | cvebase