Back to search
CVE-2012-2661
Published: Jun 22, 2012
Modified: Aug 6, 2024
PUBLISHED
Description
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
[rubyonrails-security] 20120531 SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2661)
mailing-list
x_refsource_MLIST
SUSE-SU-2012:1012
vendor-advisory
x_refsource_SUSE
SUSE-SU-2012:1014
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2012:1066
vendor-advisory
x_refsource_SUSE
RHSA-2013:0154
vendor-advisory
x_refsource_REDHAT
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now