Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-6496

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2012-6496
Last Modified 29 Jul 2015 12:12:57
Published 03 Jan 2013 11:46:02
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-6496

Summary

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

Vulnerable Systems

Application

  • Rubyonrails Ruby On Rails 3.0.0

  • Rubyonrails Ruby On Rails 3.0.1

  • Rubyonrails Ruby On Rails 3.0.10

  • Rubyonrails Ruby On Rails 3.0.11

  • Rubyonrails Ruby On Rails 3.0.12

  • Rubyonrails Ruby On Rails 3.0.13

  • Rubyonrails Ruby On Rails 3.0.14

  • Rubyonrails Ruby On Rails 3.0.16

  • Rubyonrails Ruby On Rails 3.0.17

  • Rubyonrails Ruby On Rails 3.0.2

  • Rubyonrails Ruby On Rails 3.0.3

  • Rubyonrails Ruby On Rails 3.0.4

  • Rubyonrails Ruby On Rails 3.0.5

  • Rubyonrails Ruby On Rails 3.0.6

  • Rubyonrails Ruby On Rails 3.0.7

  • Rubyonrails Ruby On Rails 3.0.8

  • Rubyonrails Ruby On Rails 3.0.9

  • Rubyonrails Ruby On Rails 3.1.0

  • Rubyonrails Ruby On Rails 3.1.1

  • Rubyonrails Ruby On Rails 3.1.2

  • Rubyonrails Ruby On Rails 3.1.3

  • Rubyonrails Ruby On Rails 3.1.4

  • Rubyonrails Ruby On Rails 3.1.5

  • Rubyonrails Ruby On Rails 3.1.6

  • Rubyonrails Ruby On Rails 3.1.7

  • Rubyonrails Ruby On Rails 3.1.8

  • Rubyonrails Ruby On Rails 3.2.0

  • Rubyonrails Ruby On Rails 3.2.1

  • Rubyonrails Ruby On Rails 3.2.2

  • Rubyonrails Ruby On Rails 3.2.3

  • Rubyonrails Ruby On Rails 3.2.4

  • Rubyonrails Ruby On Rails 3.2.5

  • Rubyonrails Ruby On Rails 3.2.6

  • Rubyonrails Ruby On Rails 3.2.7

  • Rubyonrails Ruby On Rails 3.2.8

  • Rubyonrails Ruby On Rails 3.2.9


References

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=889649

MLIST - [rubyonrails-security] 20130102 SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

MISC - http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/

REDHAT - RHSA-2013:0155

REDHAT - RHSA-2013:0154

REDHAT - RHSA-2013:0220

REDHAT - RHSA-2013:0544

GENTOO - GLSA-201401-22


Last Updated: 27 May 2016 11:01:34