CVE-2012-2661
Published: 22 June 2012
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
Notes
Author | Note |
---|---|
tyhicks | Fixed in upstream version 3.2.4, 3.1.5, 3.0.13 2.3.x is not affected |
Priority
Status
Package | Release | Status |
---|---|---|
rails Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
lucid |
Not vulnerable
|
|
natty |
Not vulnerable
|
|
oneiric |
Not vulnerable
(contains no code)
|
|
precise |
Not vulnerable
(contains no code)
|
|
upstream |
Released
(3.2.4, 3.1.5, 3.0.13)
|
|
ruby-rails-2.3 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Not vulnerable
|
|
precise |
Not vulnerable
|
|
upstream |
Not vulnerable
|