Candidate: CVE-2012-2695
PublicDate: 2012-06-22 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2695
 https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain
Description:
 The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before
 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of
 request data to a where method in an ActiveRecord class, which allows
 remote attackers to conduct certain SQL injection attacks via nested query
 parameters that leverage improper handling of nested hashes, a related
 issue to CVE-2012-2661.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675429
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_ruby-activerecord-3.2:
upstream_ruby-activerecord-3.2: released (3.2.6-1)
hardy_ruby-activerecord-3.2: DNE
lucid_ruby-activerecord-3.2: DNE
natty_ruby-activerecord-3.2: DNE
oneiric_ruby-activerecord-3.2: DNE
precise_ruby-activerecord-3.2: DNE
devel_ruby-activerecord-3.2: not-affected (3.2.6-1)