VDB
CVE-2012-2695
CVE-2012-2695
PUBLISHED
Reported by redhat · Published June 22, 2012
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| n/a | n/a | n/a, *, n/a |
| RubyGems | activerecord | 3.2.0, 3.0.0.beta, 3.1.0 |
Exploit Intelligence
- https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain (nist-nvd)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
…and 51 more exploits
Timeline
- Jun 22, 2012 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 10, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- Jul 17, 2023 EPSS Score
- Sep 7, 2023 EPSS Score
References
- SUSE-SU-2012:1012 vendor-advisoryx_refsource_SUSE
- openSUSE-SU-2012:0978 vendor-advisoryx_refsource_SUSE
- SUSE-SU-2012:1014 vendor-advisoryx_refsource_SUSE
- openSUSE-SU-2012:1066 vendor-advisoryx_refsource_SUSE
- RHSA-2013:0154 vendor-advisoryx_refsource_REDHAT
- [rubyonrails-security] 20120612 Ruby on Rails SQL Injection (CVE-2012-2695) mailing-listx_refsource_MLIST
- https://nvd.nist.gov/vuln/detail/CVE-2012-2695 advisory
- https://github.com/advisories/GHSA-76wq-xw4h-f8wj advisory
- https://github.com/rails/rails/commit/62f81f4d6b3ee40e9887ffd92ab14714bad93f18 patch
- https://github.com/rails/rails url
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2695.yml advisory
- https://groups.google.com/g/rubyonrails-security/c/l4L0TEVAz1k/m/Vr84sD9B464J url