CVE-2012-6496: SQL Injection
First published: Fri Jan 04 2013(Updated: )
SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/activerecord | <2.3.15 | 2.3.15 |
| rubygems/activerecord | >=3.0.0.beta<3.0.18 | 3.0.18 |
| rubygems/activerecord | >=3.2.0<3.2.10 | 3.2.10 |
| rubygems/activerecord | >=3.1.0<3.1.9 | 3.1.9 |
| Ruby on Rails | =3.1.0 | |
| Ruby on Rails | =3.1.0-beta1 | |
| Ruby on Rails | =3.1.0-rc1 | |
| Ruby on Rails | =3.1.0-rc2 | |
| Ruby on Rails | =3.1.0-rc3 | |
| Ruby on Rails | =3.1.0-rc4 | |
| Ruby on Rails | =3.1.0-rc5 | |
| Ruby on Rails | =3.1.0-rc6 | |
| Ruby on Rails | =3.1.0-rc7 | |
| Ruby on Rails | =3.1.0-rc8 | |
| Ruby on Rails | =3.1.1 | |
| Ruby on Rails | =3.1.1-rc1 | |
| Ruby on Rails | =3.1.1-rc2 | |
| Ruby on Rails | =3.1.1-rc3 | |
| Ruby on Rails | =3.1.2 | |
| Ruby on Rails | =3.1.2-rc1 | |
| Ruby on Rails | =3.1.2-rc2 | |
| Ruby on Rails | =3.1.3 | |
| Ruby on Rails | =3.1.4 | |
| Ruby on Rails | =3.1.4-rc1 | |
| Ruby on Rails | =3.1.5 | |
| Ruby on Rails | =3.1.5-rc1 | |
| Ruby on Rails | =3.1.6 | |
| Ruby on Rails | =3.1.7 | |
| Ruby on Rails | =3.1.8 | |
| Ruby on Rails | =3.0.0 | |
| Ruby on Rails | =3.0.0-beta | |
| Ruby on Rails | =3.0.0-beta2 | |
| Ruby on Rails | =3.0.0-beta3 | |
| Ruby on Rails | =3.0.0-beta4 | |
| Ruby on Rails | =3.0.0-rc | |
| Ruby on Rails | =3.0.0-rc2 | |
| Ruby on Rails | =3.0.1 | |
| Ruby on Rails | =3.0.1-pre | |
| Ruby on Rails | =3.0.2 | |
| Ruby on Rails | =3.0.2-pre | |
| Ruby on Rails | =3.0.3 | |
| Ruby on Rails | =3.0.4-rc1 | |
| Ruby on Rails | =3.0.5 | |
| Ruby on Rails | =3.0.5-rc1 | |
| Ruby on Rails | =3.0.6 | |
| Ruby on Rails | =3.0.6-rc1 | |
| Ruby on Rails | =3.0.6-rc2 | |
| Ruby on Rails | =3.0.7 | |
| Ruby on Rails | =3.0.7-rc1 | |
| Ruby on Rails | =3.0.7-rc2 | |
| Ruby on Rails | =3.0.8 | |
| Ruby on Rails | =3.0.8-rc1 | |
| Ruby on Rails | =3.0.8-rc2 | |
| Ruby on Rails | =3.0.8-rc3 | |
| Ruby on Rails | =3.0.8-rc4 | |
| Ruby on Rails | =3.0.9 | |
| Ruby on Rails | =3.0.9-rc1 | |
| Ruby on Rails | =3.0.9-rc2 | |
| Ruby on Rails | =3.0.9-rc3 | |
| Ruby on Rails | =3.0.9-rc4 | |
| Ruby on Rails | =3.0.9-rc5 | |
| Ruby on Rails | =3.0.10 | |
| Ruby on Rails | =3.0.10-rc1 | |
| Ruby on Rails | =3.0.11 | |
| Ruby on Rails | =3.0.12 | |
| Ruby on Rails | =3.0.12-rc1 | |
| Ruby on Rails | =3.0.13 | |
| Ruby on Rails | =3.0.13-rc1 | |
| Ruby on Rails | =3.0.14 | |
| Ruby on Rails | =3.0.16 | |
| Ruby on Rails | <=3.0.17 | |
| Ruby on Rails | =3.0.4 | |
| Ruby on Rails | =3.2.0 | |
| Ruby on Rails | =3.2.0-rc1 | |
| Ruby on Rails | =3.2.0-rc2 | |
| Ruby on Rails | =3.2.1 | |
| Ruby on Rails | =3.2.2 | |
| Ruby on Rails | =3.2.2-rc1 | |
| Ruby on Rails | =3.2.3 | |
| Ruby on Rails | =3.2.3-rc1 | |
| Ruby on Rails | =3.2.3-rc2 | |
| Ruby on Rails | =3.2.4 | |
| Ruby on Rails | =3.2.4-rc1 | |
| Ruby on Rails | =3.2.5 | |
| Ruby on Rails | =3.2.6 | |
| Ruby on Rails | =3.2.7 | |
| Ruby on Rails | =3.2.8 | |
| Ruby on Rails | =3.2.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
- http://rhn.redhat.com/errata/RHSA-2013-0155.html
- http://rhn.redhat.com/errata/RHSA-2013-0220.html
- http://rhn.redhat.com/errata/RHSA-2013-0544.html
- http://security.gentoo.org/glsa/glsa-201401-22.xml
- http://www.securityfocus.com/bid/57084
- https://bugzilla.redhat.com/show_bug.cgi?id=889649
- https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain
- https://nvd.nist.gov/vuln/detail/CVE-2012-6496
- https://github.com/rails/rails/commit/9de9b359d0d24f70f0f6c5c58a7ad8750684d456
- http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
- https://github.com/advisories/GHSA-gh2w-j7cx-2664 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2012-6496?
CVE-2012-6496 has a medium severity rating as it allows remote attackers to execute arbitrary SQL commands.
How do I fix CVE-2012-6496?
To mitigate CVE-2012-6496, upgrade the Active Record component to version 2.3.15, 3.0.18, 3.1.9, or 3.2.10 or later.
Which versions of Ruby on Rails are affected by CVE-2012-6496?
CVE-2012-6496 affects Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10.
What type of vulnerability is CVE-2012-6496?
CVE-2012-6496 is an SQL injection vulnerability allowing attackers to manipulate SQL queries.
Can CVE-2012-6496 impact my application?
Yes, if your application utilizes the affected versions of Active Record, it may be vulnerable to SQL injection attacks.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/first-publish-date
- agent/references
- agent/description
- agent/event
- agent/source
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gh2w-j7cx-2664
- alias/CVE-2012-6496
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/github-advisory
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/rubygems
- vendor/rubyonrails
- canonical/ruby on rails
- version/ruby on rails/3.1.0
- version/ruby on rails/3.1.0-beta1
- version/ruby on rails/3.1.0-rc1
- version/ruby on rails/3.1.0-rc2
- version/ruby on rails/3.1.0-rc3
- version/ruby on rails/3.1.0-rc4
- version/ruby on rails/3.1.0-rc5
- version/ruby on rails/3.1.0-rc6
- version/ruby on rails/3.1.0-rc7
- version/ruby on rails/3.1.0-rc8
- version/ruby on rails/3.1.1
- version/ruby on rails/3.1.1-rc1
- version/ruby on rails/3.1.1-rc2
- version/ruby on rails/3.1.1-rc3
- version/ruby on rails/3.1.2
- version/ruby on rails/3.1.2-rc1
- version/ruby on rails/3.1.2-rc2
- version/ruby on rails/3.1.3
- version/ruby on rails/3.1.4
- version/ruby on rails/3.1.4-rc1
- version/ruby on rails/3.1.5
- version/ruby on rails/3.1.5-rc1
- version/ruby on rails/3.1.6
- version/ruby on rails/3.1.7
- version/ruby on rails/3.1.8
- version/ruby on rails/3.0.0
- version/ruby on rails/3.0.0-beta
- version/ruby on rails/3.0.0-beta2
- version/ruby on rails/3.0.0-beta3
- version/ruby on rails/3.0.0-beta4
- version/ruby on rails/3.0.0-rc
- version/ruby on rails/3.0.0-rc2
- version/ruby on rails/3.0.1
- version/ruby on rails/3.0.1-pre
- version/ruby on rails/3.0.2
- version/ruby on rails/3.0.2-pre
- version/ruby on rails/3.0.3
- version/ruby on rails/3.0.4-rc1
- version/ruby on rails/3.0.5
- version/ruby on rails/3.0.5-rc1
- version/ruby on rails/3.0.6
- version/ruby on rails/3.0.6-rc1
- version/ruby on rails/3.0.6-rc2
- version/ruby on rails/3.0.7
- version/ruby on rails/3.0.7-rc1
- version/ruby on rails/3.0.7-rc2
- version/ruby on rails/3.0.8
- version/ruby on rails/3.0.8-rc1
- version/ruby on rails/3.0.8-rc2
- version/ruby on rails/3.0.8-rc3
- version/ruby on rails/3.0.8-rc4
- version/ruby on rails/3.0.9
- version/ruby on rails/3.0.9-rc1
- version/ruby on rails/3.0.9-rc2
- version/ruby on rails/3.0.9-rc3
- version/ruby on rails/3.0.9-rc4
- version/ruby on rails/3.0.9-rc5
- version/ruby on rails/3.0.10
- version/ruby on rails/3.0.10-rc1
- version/ruby on rails/3.0.11
- version/ruby on rails/3.0.12
- version/ruby on rails/3.0.12-rc1
- version/ruby on rails/3.0.13
- version/ruby on rails/3.0.13-rc1
- version/ruby on rails/3.0.14
- version/ruby on rails/3.0.16
- version/ruby on rails/3.0.17
- version/ruby on rails/3.0.4
- version/ruby on rails/3.2.0
- version/ruby on rails/3.2.0-rc1
- version/ruby on rails/3.2.0-rc2
- version/ruby on rails/3.2.1
- version/ruby on rails/3.2.2
- version/ruby on rails/3.2.2-rc1
- version/ruby on rails/3.2.3
- version/ruby on rails/3.2.3-rc1
- version/ruby on rails/3.2.3-rc2
- version/ruby on rails/3.2.4
- version/ruby on rails/3.2.4-rc1
- version/ruby on rails/3.2.5
- version/ruby on rails/3.2.6
- version/ruby on rails/3.2.7
- version/ruby on rails/3.2.8
- version/ruby on rails/3.2.9