CVE-2012-6496
Published: 4 January 2013
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
Notes
| Author | Note |
|---|---|
| mdeslaur | in Oneiric+, rails package is just for transition |
| seth-arnold | The authlogic gem was frequently cited as the problem in early reports, but the problem is with core Active Record. authlogic was just one vector known to allow exploiting the problem. CVE-2012-5664 was rejected as a result of the confusion. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
rails Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Ignored
(end of life)
|
|
| oneiric |
Not vulnerable
(contains no code)
|
|
| precise |
Not vulnerable
(contains no code)
|
|
| quantal |
Not vulnerable
(contains no code)
|
|
| raring |
Not vulnerable
(contains no code)
|
|
| saucy |
Not vulnerable
(contains no code)
|
|
| trusty |
Does not exist
(trusty was not-affected [contains no code])
|
|
| upstream |
Released
(3.2.10, 3.1.9, 3.0.18)
|
|
| utopic |
Not vulnerable
(contains no code)
|
|
| vivid |
Not vulnerable
(contains no code)
|
|
| wily |
Not vulnerable
(contains no code)
|
|
| xenial |
Not vulnerable
(contains no code)
|
|
| yakkety |
Not vulnerable
(contains no code)
|
|
| zesty |
Not vulnerable
(contains no code)
|
|
|
Patches: upstream: https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/2-3-dynamic_finder_injection.patch?view=1&part=2 upstream: https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/3-0-dynamic_finder_injection.patch?view=1&part=3 upstream: https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/3-1-dynamic_finder_injection.patch?view=1&part=4 upstream: https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/3-2-dynamic_finder_injection.patch?view=1&part=5 |
||
|
ruby-activerecord-2.3 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Ignored
(end of life)
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
| upstream |
Ignored
(end of life)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/2-3-dynamic_finder_injection.patch?view=1&part=2 |
||
|
ruby-activerecord-3.2 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Not vulnerable
(3.2.13-4)
|
|
| trusty |
Does not exist
(trusty was not-affected [3.2.16-1])
|
|
| upstream |
Released
(3.2.10)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: https://rubyonrails-security.googlegroups.com/attach/23daa048baf28b64/3-2-dynamic_finder_injection.patch?view=1&part=5 |
||
References
- http://www.openwall.com/lists/oss-security/2013/01/03/5
- http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
- https://groups.google.com/forum/#!topic/rubyonrails-security/DCNTNp_qjFM
- http://www.openwall.com/lists/oss-security/2013/01/03/12
- https://www.cve.org/CVERecord?id=CVE-2012-6496
- NVD
- Launchpad
- Debian