VDB
CVE-2012-2694
CVE-2012-2694
PUBLISHED
Reported by redhat · Published June 22, 2012
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| n/a | n/a | n/a, *, n/a |
| RubyGems | actionpack | 3.0.13, 3.2.0, 3.1.0 |
Exploit Intelligence
- https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain (nist-nvd)
- Unsafe Query Generation (CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155) mitigation bypass (hackerone)
- Unsafe Query Generation (CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155) mitigation bypass (hackerone)
- Unsafe Query Generation (CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155) mitigation bypass (hackerone)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
…and 19 more exploits
Timeline
- CVE Published
- Feb 7, 2018 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
References
- SUSE-SU-2012:1015 vendor-advisoryx_refsource_SUSE
- SUSE-SU-2012:1012 vendor-advisoryx_refsource_SUSE
- openSUSE-SU-2012:0978 vendor-advisoryx_refsource_SUSE
- SUSE-SU-2012:1014 vendor-advisoryx_refsource_SUSE
- openSUSE-SU-2012:1066 vendor-advisoryx_refsource_SUSE
- [rubyonrails-security] 20120612 Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694) mailing-listx_refsource_MLIST
- RHSA-2013:0154 vendor-advisoryx_refsource_REDHAT
- https://nvd.nist.gov/vuln/detail/CVE-2012-2694 advisory
- https://github.com/advisories/GHSA-q34c-48gc-m9g8 advisory
- https://github.com/rails/rails/commit/2f3bc0467311781ac1ceb2c8c2b09002c8fe143a patch
- https://github.com/rails/rails/commit/c202638225519b5e1a03ebe523b109c948fb0e52 patch
- https://github.com/rails/rails url
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2694.yml advisory
- https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ url