CVE-2012-2695 — Vulnetix

Try Vulnetix Request Demo

CVE-2012-2695 PUBLISHED

Reported by redhat · Published June 22, 2012

The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a
n/a	n/a	n/a, n/a
RubyGems	activerecord	3.2.0, 0, 3.0.0.beta

Timeline

Jun 22, 2012 CVE Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Oct 23, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 10, 2023 EPSS Score
Mar 28, 2023 EPSS Score
Jul 10, 2023 EPSS Score
Aug 31, 2023 EPSS Score

References

SUSE-SU-2012:1012 vendor-advisoryx_refsource_SUSE
openSUSE-SU-2012:0978 vendor-advisoryx_refsource_SUSE
SUSE-SU-2012:1014 vendor-advisoryx_refsource_SUSE
openSUSE-SU-2012:1066 vendor-advisoryx_refsource_SUSE
RHSA-2013:0154 vendor-advisoryx_refsource_REDHAT
[rubyonrails-security] 20120612 Ruby on Rails SQL Injection (CVE-2012-2695) mailing-listx_refsource_MLIST
https://nvd.nist.gov/vuln/detail/CVE-2012-2695 advisory
https://github.com/advisories/GHSA-76wq-xw4h-f8wj advisory
https://github.com/rails/rails/commit/62f81f4d6b3ee40e9887ffd92ab14714bad93f18 patch
https://github.com/rails/rails url
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2695.yml advisory
https://groups.google.com/g/rubyonrails-security/c/l4L0TEVAz1k/m/Vr84sD9B464J url

Open in Interactive Console →