Back to search
CVE-2012-2694
Published: Jun 22, 2012
Modified: Aug 6, 2024
PUBLISHED
Description
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
SUSE-SU-2012:1015
vendor-advisory
x_refsource_SUSE
SUSE-SU-2012:1012
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2012:0978
vendor-advisory
x_refsource_SUSE
SUSE-SU-2012:1014
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2012:1066
vendor-advisory
x_refsource_SUSE
[rubyonrails-security] 20120612 Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
mailing-list
x_refsource_MLIST
RHSA-2013:0154
vendor-advisory
x_refsource_REDHAT
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now