CVE-2012-6496 (retired)

Priority
Description
SQL injection vulnerability in the Active Record component in Ruby on Rails
before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote
attackers to execute arbitrary SQL commands via a crafted request that
leverages incorrect behavior of dynamic finders in applications that can
use unexpected data types in certain find_by_ method calls.
Notes
 mdeslaur> in Oneiric+, rails package is just for transition
 sarnold> The authlogic gem was frequently cited as the problem in early
 sarnold> reports, but the problem is with core Active Record. authlogic
 sarnold> was just one vector known to allow exploiting the problem.
 sarnold> CVE-2012-5664 was rejected as a result of the confusion.
Package
Upstream:ignored (reached end-of-life)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/2-3-dynamic_finder_injection.patch?view=1&part=2
Package
Upstream:released (3.2.10)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (3.2.16-1)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/3-2-dynamic_finder_injection.patch?view=1&part=5
More Information

Updated: 2019-03-26 12:05:22 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)