Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2660

Overview

Vulnerability Score 6.4 6.4
CVE Id CVE-2012-2660
Last Modified 06 Feb 2013 11:55:37
Published 22 Jun 2012 10:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-2660

Summary

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.

Vulnerable Systems

Application

  • David Hansson Ruby On Rails 1.2.3

  • David Hansson Ruby On Rails 2.3.3

  • Ruby On Rails 0.10.0

  • Ruby On Rails 0.10.1

  • Ruby On Rails 0.11.0

  • Ruby On Rails 0.11.1

  • Ruby On Rails 0.12.0

  • Ruby On Rails 0.12.1

  • Ruby On Rails 0.13.0

  • Ruby On Rails 0.13.1

  • Ruby On Rails 0.14.1

  • Ruby On Rails 0.14.2

  • Ruby On Rails 0.14.3

  • Ruby On Rails 0.14.4

  • Ruby On Rails 0.5.0

  • Ruby On Rails 0.5.5

  • Ruby On Rails 0.5.6

  • Ruby On Rails 0.5.7

  • Ruby On Rails 0.6.0

  • Ruby On Rails 0.6.5

  • Ruby On Rails 0.7.0

  • Ruby On Rails 0.8.0

  • Ruby On Rails 0.8.5

  • Ruby On Rails 0.9.0

  • Ruby On Rails 0.9.1

  • Ruby On Rails 0.9.2

  • Ruby On Rails 0.9.3

  • Ruby On Rails 0.9.4

  • Ruby On Rails 0.9.4.1

  • Ruby On Rails 1.0.0

  • Ruby On Rails 1.1.0

  • Ruby On Rails 1.1.1

  • Ruby On Rails 1.1.2

  • Ruby On Rails 1.1.3

  • Ruby On Rails 1.1.4

  • Ruby On Rails 1.1.5

  • Ruby On Rails 1.1.6

  • Ruby On Rails 1.2.0

  • Ruby On Rails 1.2.1

  • Ruby On Rails 1.2.2

  • Ruby On Rails 1.2.3

  • Ruby On Rails 1.2.4

  • Ruby On Rails 1.2.5

  • Ruby On Rails 1.2.6

  • Ruby On Rails 1.9.5

  • Ruby On Rails 2.0.0

  • Ruby On Rails 2.0.1

  • Ruby On Rails 2.0.2

  • Ruby On Rails 2.0.4

  • Ruby On Rails 2.1

  • Ruby On Rails 2.1.0

  • Ruby On Rails 2.1.1

  • Ruby On Rails 2.1.2

  • Ruby On Rails 2.2.0

  • Ruby On Rails 2.2.1

  • Ruby On Rails 2.2.2

  • Ruby On Rails 2.3.10

  • Ruby On Rails 2.3.11

  • Ruby On Rails 2.3.12

  • Ruby On Rails 2.3.2

  • Ruby On Rails 2.3.3

  • Ruby On Rails 2.3.4

  • Ruby On Rails 2.3.9

  • Ruby On Rails 3.0.0

  • Ruby On Rails 3.0.1

  • Ruby On Rails 3.0.10

  • Ruby On Rails 3.0.11

  • Ruby On Rails 3.0.12

  • Ruby On Rails 3.0.13

  • Ruby On Rails 3.0.2

  • Ruby On Rails 3.0.3

  • Ruby On Rails 3.0.4

  • Ruby On Rails 3.0.5

  • Ruby On Rails 3.0.6

  • Ruby On Rails 3.0.7

  • Ruby On Rails 3.0.8

  • Ruby On Rails 3.0.9

  • Ruby On Rails 3.1.0

  • Ruby On Rails 3.1.1

  • Ruby On Rails 3.1.2

  • Ruby On Rails 3.1.2rc1

  • Ruby On Rails 3.1.3

  • Ruby On Rails 3.1.4

  • Ruby On Rails 3.1.5

  • Ruby On Rails 3.2.0

  • Ruby On Rails 3.2.1

  • Ruby On Rails 3.2.2

  • Ruby On Rails 3.2.3

  • Ruby On Rails 3.2.4

  • Rubyonrails Ruby On Rails 3.0.0

  • Rubyonrails Ruby On Rails 3.0.1

  • Rubyonrails Ruby On Rails 3.0.10

  • Rubyonrails Ruby On Rails 3.0.11

  • Rubyonrails Ruby On Rails 3.0.12

  • Rubyonrails Ruby On Rails 3.0.13

  • Rubyonrails Ruby On Rails 3.0.2

  • Rubyonrails Ruby On Rails 3.0.3

  • Rubyonrails Ruby On Rails 3.0.4

  • Rubyonrails Ruby On Rails 3.0.5

  • Rubyonrails Ruby On Rails 3.0.6

  • Rubyonrails Ruby On Rails 3.0.7

  • Rubyonrails Ruby On Rails 3.0.8

  • Rubyonrails Ruby On Rails 3.0.9

  • Rubyonrails Ruby On Rails 3.1.0

  • Rubyonrails Ruby On Rails 3.1.1

  • Rubyonrails Ruby On Rails 3.1.2

  • Rubyonrails Ruby On Rails 3.1.3

  • Rubyonrails Ruby On Rails 3.1.4

  • Rubyonrails Ruby On Rails 3.1.5

  • Rubyonrails Ruby On Rails 3.2.0

  • Rubyonrails Ruby On Rails 3.2.1

  • Rubyonrails Ruby On Rails 3.2.2

  • Rubyonrails Ruby On Rails 3.2.3

  • Rubyonrails Ruby On Rails 3.2.4


References

MLIST - [rubyonrails-security] 20120531 Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)

SUSE - SUSE-SU-2012:1015

SUSE - openSUSE-SU-2012:0978

SUSE - openSUSE-SU-2012:1066

SUSE - SUSE-SU-2012:1014

SUSE - SUSE-SU-2012:1012

REDHAT - RHSA-2013:0154


Last Updated: 27 May 2016 10:56:34