CVE-2012-6497
published 2013-01-04CVE-2012-6497: The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote…
medium5CVSS 3.1
AVNACLAuNCPINAN
The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rails | < rails 2.3.14.1 (bookworm) | rails 2.3.14.1 (bookworm) |
| rubyonrails | rails | < 3.2.10 | 3.2.10 |
| rubyonrails | rails | >= 0 < 2.3.14.1 | 2.3.14.1 |
| rubyonrails | rails | >= 0 < 2.3.14.1 | 2.3.14.1 |
| rubyonrails | rails | >= 0 < 2.3.14.1 | 2.3.14.1 |
| rubyonrails | rails | >= 0 < 2.3.14.1 | 2.3.14.1 |
CVSS provenance
nvd5.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH