CVE-2012-6496

Priority
Description
SQL injection vulnerability in the Active Record component in Ruby on Rails
before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote
attackers to execute arbitrary SQL commands via a crafted request that
leverages incorrect behavior of dynamic finders in applications that can
use unexpected data types in certain find_by_ method calls.
Notes
mdeslaurin Oneiric+, rails package is just for transition
sarnoldThe authlogic gem was frequently cited as the problem in early
reports, but the problem is with core Active Record. authlogic
was just one vector known to allow exploiting the problem.
CVE-2012-5664 was rejected as a result of the confusion.
Package
Upstream:ignored (reached end-of-life)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/2-3-dynamic_finder_injection.patch?view=1&part=2
Package
Upstream:released (3.2.10)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [3.2.16-1])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/3-2-dynamic_finder_injection.patch?view=1&part=5
More Information

Updated: 2020-01-29 19:45:39 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)