What is the severity of CVE-2012-2694?

CVE-2012-2694 has a CVSS score indicating a medium severity vulnerability that could allow remote attackers to bypass intended database access controls.

How do I fix CVE-2012-2694?

To mitigate CVE-2012-2694, upgrade Ruby on Rails to versions 3.2.6, 3.1.6, or 3.0.14 and later.

Which versions of Ruby on Rails are affected by CVE-2012-2694?

CVE-2012-2694 affects Ruby on Rails versions before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6.

What type of attacks can exploit CVE-2012-2694?

CVE-2012-2694 allows remote attackers to bypass database access controls by exploiting weaknesses in parameter handling.

Is CVE-2012-2694 relevant for my application?

If your application uses Ruby on Rails version prior to the secure releases mentioned, it is vulnerable to CVE-2012-2694.

Vulnerability/
CVE-2012-2694

medium

4.3

CWE

264

13/6/2012

22/6/2012

24/10/2017

20/1/2025

CVE-2012-2694

First published: Wed Jun 13 2012(Updated: )

`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/rubygem-actionpack	<3.2.6	3.2.6
redhat/rubygem-actionpack	<3.1.6	3.1.6
redhat/rubygem-actionpack	<3.0.14	3.0.14
rubygems/actionpack	>=3.0.13<3.0.14	3.0.14
rubygems/actionpack	>=3.2.0<3.2.6	3.2.6
rubygems/actionpack	>=3.1.0<3.1.6	3.1.6
rubyonrails Rails	=3.0.0
rubyonrails Rails	=3.0.0-beta
rubyonrails Rails	=3.0.0-beta2
rubyonrails Rails	=3.0.0-beta3
rubyonrails Rails	=3.0.0-beta4
rubyonrails Rails	=3.0.0-rc
rubyonrails Rails	=3.0.0-rc2
rubyonrails Rails	=3.0.1
rubyonrails Rails	=3.0.1-pre
rubyonrails Rails	=3.0.2
rubyonrails Rails	=3.0.2-pre
rubyonrails Rails	=3.0.3
rubyonrails Rails	=3.0.4-rc1
rubyonrails Rails	=3.0.5
rubyonrails Rails	=3.0.5-rc1
rubyonrails Rails	=3.0.6
rubyonrails Rails	=3.0.6-rc1
rubyonrails Rails	=3.0.6-rc2
rubyonrails Rails	=3.0.7
rubyonrails Rails	=3.0.7-rc1
rubyonrails Rails	=3.0.7-rc2
rubyonrails Rails	=3.0.8
rubyonrails Rails	=3.0.8-rc1
rubyonrails Rails	=3.0.8-rc2
rubyonrails Rails	=3.0.8-rc3
rubyonrails Rails	=3.0.8-rc4
rubyonrails Rails	=3.0.9
rubyonrails Rails	=3.0.9-rc1
rubyonrails Rails	=3.0.9-rc2
rubyonrails Rails	=3.0.9-rc3
rubyonrails Rails	=3.0.9-rc4
rubyonrails Rails	=3.0.9-rc5
rubyonrails Rails	=3.0.10
rubyonrails Rails	=3.0.10-rc1
rubyonrails Rails	=3.0.11
rubyonrails Rails	=3.0.12
rubyonrails Rails	=3.0.12-rc1
rubyonrails Rails	=3.0.13-rc1
Ruby on Rails	<=3.0.13
Ruby on Rails	=3.0.4
rubyonrails Rails	=3.1.0
rubyonrails Rails	=3.1.0-beta1
rubyonrails Rails	=3.1.0-rc1
rubyonrails Rails	=3.1.0-rc2
rubyonrails Rails	=3.1.0-rc3
rubyonrails Rails	=3.1.0-rc4
rubyonrails Rails	=3.1.0-rc5
rubyonrails Rails	=3.1.0-rc6
rubyonrails Rails	=3.1.0-rc7
rubyonrails Rails	=3.1.0-rc8
rubyonrails Rails	=3.1.1
rubyonrails Rails	=3.1.1-rc1
rubyonrails Rails	=3.1.1-rc2
rubyonrails Rails	=3.1.1-rc3
rubyonrails Rails	=3.1.2
rubyonrails Rails	=3.1.2-rc1
rubyonrails Rails	=3.1.2-rc2
rubyonrails Rails	=3.1.3
rubyonrails Rails	=3.1.4
rubyonrails Rails	=3.1.4-rc1
rubyonrails Rails	=3.1.5
rubyonrails Rails	=3.1.5-rc1
rubyonrails Rails	=3.2.0
rubyonrails Rails	=3.2.0-rc1
rubyonrails Rails	=3.2.0-rc2
rubyonrails Rails	=3.2.1
rubyonrails Rails	=3.2.2
rubyonrails Rails	=3.2.2-rc1
rubyonrails Rails	=3.2.3
rubyonrails Rails	=3.2.3-rc1
rubyonrails Rails	=3.2.3-rc2
rubyonrails Rails	=3.2.4
rubyonrails Rails	=3.2.4-rc1
rubyonrails Rails	=3.2.5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2012-2694?
CVE-2012-2694 has a CVSS score indicating a medium severity vulnerability that could allow remote attackers to bypass intended database access controls.
How do I fix CVE-2012-2694?
To mitigate CVE-2012-2694, upgrade Ruby on Rails to versions 3.2.6, 3.1.6, or 3.0.14 and later.
Which versions of Ruby on Rails are affected by CVE-2012-2694?
CVE-2012-2694 affects Ruby on Rails versions before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6.
What type of attacks can exploit CVE-2012-2694?
CVE-2012-2694 allows remote attackers to bypass database access controls by exploiting weaknesses in parameter handling.
Is CVE-2012-2694 relevant for my application?
If your application uses Ruby on Rails version prior to the secure releases mentioned, it is vulnerable to CVE-2012-2694.

collector/redhat-bugzilla
alias/CVE-2012-2694
agent/author
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-q34c-48gc-m9g8
agent/software-canonical-lookup
agent/severity
agent/references
agent/weakness
agent/last-modified-date
agent/description
agent/event
agent/source
collector/github-advisory
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
package-manager/redhat
package-manager/rubygems
vendor/rubyonrails
canonical/rubyonrails rails
version/rubyonrails rails/3.0.0
version/rubyonrails rails/3.0.0-beta
version/rubyonrails rails/3.0.0-beta2
version/rubyonrails rails/3.0.0-beta3
version/rubyonrails rails/3.0.0-beta4
version/rubyonrails rails/3.0.0-rc
version/rubyonrails rails/3.0.0-rc2
version/rubyonrails rails/3.0.1
version/rubyonrails rails/3.0.1-pre
version/rubyonrails rails/3.0.2
version/rubyonrails rails/3.0.2-pre
version/rubyonrails rails/3.0.3
version/rubyonrails rails/3.0.4-rc1
version/rubyonrails rails/3.0.5
version/rubyonrails rails/3.0.5-rc1
version/rubyonrails rails/3.0.6
version/rubyonrails rails/3.0.6-rc1
version/rubyonrails rails/3.0.6-rc2
version/rubyonrails rails/3.0.7
version/rubyonrails rails/3.0.7-rc1
version/rubyonrails rails/3.0.7-rc2
version/rubyonrails rails/3.0.8
version/rubyonrails rails/3.0.8-rc1
version/rubyonrails rails/3.0.8-rc2
version/rubyonrails rails/3.0.8-rc3
version/rubyonrails rails/3.0.8-rc4
version/rubyonrails rails/3.0.9
version/rubyonrails rails/3.0.9-rc1
version/rubyonrails rails/3.0.9-rc2
version/rubyonrails rails/3.0.9-rc3
version/rubyonrails rails/3.0.9-rc4
version/rubyonrails rails/3.0.9-rc5
version/rubyonrails rails/3.0.10
version/rubyonrails rails/3.0.10-rc1
version/rubyonrails rails/3.0.11
version/rubyonrails rails/3.0.12
version/rubyonrails rails/3.0.12-rc1
version/rubyonrails rails/3.0.13-rc1
canonical/ruby on rails
version/ruby on rails/3.0.13
version/ruby on rails/3.0.4
version/rubyonrails rails/3.1.0
version/rubyonrails rails/3.1.0-beta1
version/rubyonrails rails/3.1.0-rc1
version/rubyonrails rails/3.1.0-rc2
version/rubyonrails rails/3.1.0-rc3
version/rubyonrails rails/3.1.0-rc4
version/rubyonrails rails/3.1.0-rc5
version/rubyonrails rails/3.1.0-rc6
version/rubyonrails rails/3.1.0-rc7
version/rubyonrails rails/3.1.0-rc8
version/rubyonrails rails/3.1.1
version/rubyonrails rails/3.1.1-rc1
version/rubyonrails rails/3.1.1-rc2
version/rubyonrails rails/3.1.1-rc3
version/rubyonrails rails/3.1.2
version/rubyonrails rails/3.1.2-rc1
version/rubyonrails rails/3.1.2-rc2
version/rubyonrails rails/3.1.3
version/rubyonrails rails/3.1.4
version/rubyonrails rails/3.1.4-rc1
version/rubyonrails rails/3.1.5
version/rubyonrails rails/3.1.5-rc1
version/rubyonrails rails/3.2.0
version/rubyonrails rails/3.2.0-rc1
version/rubyonrails rails/3.2.0-rc2
version/rubyonrails rails/3.2.1
version/rubyonrails rails/3.2.2
version/rubyonrails rails/3.2.2-rc1
version/rubyonrails rails/3.2.3
version/rubyonrails rails/3.2.3-rc1
version/rubyonrails rails/3.2.3-rc2
version/rubyonrails rails/3.2.4
version/rubyonrails rails/3.2.4-rc1
version/rubyonrails rails/3.2.5