CVE-2012-2695

Exploit

EPSS 0.64%
Published 22.06.2012 14:55:01
Last modified 11.04.2025 00:51:21
Source secalert@redhat.com
Teams watchlist Login
Open Login

The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.

Affected products Warnungen 0 Metrics 2 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Rubyonrails ≫ Rails Version3.0.0

Rubyonrails ≫ Rails Version3.0.0 Updatebeta

Rubyonrails ≫ Rails Version3.0.0 Updatebeta2

Rubyonrails ≫ Rails Version3.0.0 Updatebeta3

Rubyonrails ≫ Rails Version3.0.0 Updatebeta4

Rubyonrails ≫ Rails Version3.0.0 Updaterc

Rubyonrails ≫ Rails Version3.0.0 Updaterc2

Rubyonrails ≫ Rails Version3.0.1

Rubyonrails ≫ Rails Version3.0.1 Updatepre

Rubyonrails ≫ Rails Version3.0.2

Rubyonrails ≫ Rails Version3.0.2 Updatepre

Rubyonrails ≫ Rails Version3.0.3

Rubyonrails ≫ Rails Version3.0.4 Updaterc1

Rubyonrails ≫ Rails Version3.0.5

Rubyonrails ≫ Rails Version3.0.5 Updaterc1

Rubyonrails ≫ Rails Version3.0.6

Rubyonrails ≫ Rails Version3.0.6 Updaterc1

Rubyonrails ≫ Rails Version3.0.6 Updaterc2

Rubyonrails ≫ Rails Version3.0.7

Rubyonrails ≫ Rails Version3.0.7 Updaterc1

Rubyonrails ≫ Rails Version3.0.7 Updaterc2

Rubyonrails ≫ Rails Version3.0.8

Rubyonrails ≫ Rails Version3.0.8 Updaterc1

Rubyonrails ≫ Rails Version3.0.8 Updaterc2

Rubyonrails ≫ Rails Version3.0.8 Updaterc3

Rubyonrails ≫ Rails Version3.0.8 Updaterc4

Rubyonrails ≫ Rails Version3.0.9

Rubyonrails ≫ Rails Version3.0.9 Updaterc1

Rubyonrails ≫ Rails Version3.0.9 Updaterc2

Rubyonrails ≫ Rails Version3.0.9 Updaterc3

Rubyonrails ≫ Rails Version3.0.9 Updaterc4

Rubyonrails ≫ Rails Version3.0.9 Updaterc5

Rubyonrails ≫ Rails Version3.0.10

Rubyonrails ≫ Rails Version3.0.10 Updaterc1

Rubyonrails ≫ Rails Version3.0.11

Rubyonrails ≫ Rails Version3.0.12

Rubyonrails ≫ Rails Version3.0.12 Updaterc1

Rubyonrails ≫ Rails Version3.0.13 Updaterc1

Rubyonrails ≫ Ruby On Rails Version <= 3.0.13

Rubyonrails ≫ Ruby On Rails Version3.0.4

Rubyonrails ≫ Rails Version3.1.0

Rubyonrails ≫ Rails Version3.1.0 Updatebeta1

Rubyonrails ≫ Rails Version3.1.0 Updaterc1

Rubyonrails ≫ Rails Version3.1.0 Updaterc2

Rubyonrails ≫ Rails Version3.1.0 Updaterc3

Rubyonrails ≫ Rails Version3.1.0 Updaterc4

Rubyonrails ≫ Rails Version3.1.0 Updaterc5

Rubyonrails ≫ Rails Version3.1.0 Updaterc6

Rubyonrails ≫ Rails Version3.1.0 Updaterc7

Rubyonrails ≫ Rails Version3.1.0 Updaterc8

Rubyonrails ≫ Rails Version3.1.1

Rubyonrails ≫ Rails Version3.1.1 Updaterc1

Rubyonrails ≫ Rails Version3.1.1 Updaterc2

Rubyonrails ≫ Rails Version3.1.1 Updaterc3

Rubyonrails ≫ Rails Version3.1.2

Rubyonrails ≫ Rails Version3.1.2 Updaterc1

Rubyonrails ≫ Rails Version3.1.2 Updaterc2

Rubyonrails ≫ Rails Version3.1.3

Rubyonrails ≫ Rails Version3.1.4

Rubyonrails ≫ Rails Version3.1.4 Updaterc1

Rubyonrails ≫ Rails Version3.1.5

Rubyonrails ≫ Rails Version3.1.5 Updaterc1

Rubyonrails ≫ Rails Version3.2.0

Rubyonrails ≫ Rails Version3.2.0 Updaterc1

Rubyonrails ≫ Rails Version3.2.0 Updaterc2

Rubyonrails ≫ Rails Version3.2.1

Rubyonrails ≫ Rails Version3.2.2

Rubyonrails ≫ Rails Version3.2.2 Updaterc1

Rubyonrails ≫ Rails Version3.2.3

Rubyonrails ≫ Rails Version3.2.3 Updaterc1

Rubyonrails ≫ Rails Version3.2.3 Updaterc2

Rubyonrails ≫ Rails Version3.2.4

Rubyonrails ≫ Rails Version3.2.4 Updaterc1

Rubyonrails ≫ Rails Version3.2.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.64%	0.681

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html

http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html

http://rhn.redhat.com/errata/RHSA-2013-0154.html

https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2012-2695

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2012-2695

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2012-2695

EUVD