CVE-2012-6496 (retired)

Priority
Description
SQL injection vulnerability in the Active Record component in Ruby on Rails
before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote
attackers to execute arbitrary SQL commands via a crafted request that
leverages incorrect behavior of dynamic finders in applications that can
use unexpected data types in certain find_by_ method calls.
Notes
 mdeslaur> in Oneiric+, rails package is just for transition
 sarnold> The authlogic gem was frequently cited as the problem in early
 sarnold> reports, but the problem is with core Active Record. authlogic
 sarnold> was just one vector known to allow exploiting the problem.
 sarnold> CVE-2012-5664 was rejected as a result of the confusion.
Package
Upstream:ignored (reached end-of-life)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/2-3-dynamic_finder_injection.patch?view=1&part=2
Package
Upstream:released (3.2.10)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/3-2-dynamic_finder_injection.patch?view=1&part=5
More Information

Updated: 2019-09-19 15:42:46 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)