Back to search
CVE-2012-2695
Published: Jun 22, 2012
Modified: Aug 6, 2024
PUBLISHED
Description
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
SUSE-SU-2012:1012
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2012:0978
vendor-advisory
x_refsource_SUSE
SUSE-SU-2012:1014
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2012:1066
vendor-advisory
x_refsource_SUSE
RHSA-2013:0154
vendor-advisory
x_refsource_REDHAT
[rubyonrails-security] 20120612 Ruby on Rails SQL Injection (CVE-2012-2695)
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now