CVE-2012-2660
Published: 22 June 2012
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694. There is a vulnerability when Active Record is used in conjunction with parameter parsing from Rack via Action Pack.
Notes
Author | Note |
---|---|
tyhicks | From the advisory, it sounds like 2.3 is affected. |
Priority
Status
Package | Release | Status |
---|---|---|
rails Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Not vulnerable
(contains no code)
|
|
precise |
Not vulnerable
(contains no code)
|
|
quantal |
Not vulnerable
(contains no code)
|
|
raring |
Not vulnerable
(contains no code)
|
|
saucy |
Not vulnerable
(contains no code)
|
|
trusty |
Does not exist
(trusty was not-affected [contains no code])
|
|
upstream |
Needs triage
|
|
utopic |
Not vulnerable
(contains no code)
|
|
vivid |
Not vulnerable
(contains no code)
|
|
wily |
Not vulnerable
(contains no code)
|
|
xenial |
Not vulnerable
(contains no code)
|
|
yakkety |
Not vulnerable
(contains no code)
|
|
zesty |
Not vulnerable
(contains no code)
|
|
ruby-rails-2.3 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|