CVE-2012-6497 — Sensitive Information Exposure in Rails

CWE-200 — Sensitive Information Exposure8 documents6 sources

Severity

5.0MEDIUMNVD

CNA7.5GHSA7.5OSV7.5

EPSS

0.4%

top 39.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails

Timeline

PublishedJan 4

Latest updateMay 14

Description

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDrubyonrails/rails< 3.2.10

▶Debianrubyonrails/rails< 2.3.14.1+3

🔴Vulnerability Details

GHSA

Authlogic Information Exposure vulnerability↗2022-05-14

▶

OSV

Authlogic Information Exposure vulnerability↗2022-05-14

▶

CVEList

CVE-2012-6497: The Authlogic gem for Ruby on Rails, when used with certain versions before 3↗2013-01-04

▶

OSV

CVE-2012-6497: The Authlogic gem for Ruby on Rails, when used with certain versions before 3↗2013-01-04

▶

📋Vendor Advisories

Debian

CVE-2012-6497: rails - The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2....↗2012

▶

💬Community

Bugzilla

CVE-2012-6497 rubygem-authlogic: potential unsafe find_by_id method calls↗2013-01-04

▶

Bugzilla

CVE-2012-6497 rubygem-authlogic: potential unsafe find_by_id method calls [fedora-all]↗2013-01-04

▶