Active Record contains SQL Injection
RSS Feed
HIGH
GHSA-gh2w-j7cx-2664
CVE-2012-6496
Description:
SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
Affected Packages
| Ecosystem | Package | Vulnerable Versions | Patched Version |
|---|---|---|---|
| rubygems |
activerecord
|
>= 3.2.0, < 3.2.10>= 3.1.0, < 3.1.9 |
3.2.10
|
Actions
Advisory Details
| Published: | October 24, 2017 over 8 years ago |
| Updated: | June 02, 2026 about 1 hour ago |
| EPSS: | 1.02% 77th percentile |
| Source: | Github |
| Classification: | GENERAL |
| UUID: | MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdoMnctajdjeC0yNjY0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2012-6496
- https://bugzilla.redhat.com/show_bug.cgi?id=889649
- https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
- http://rhn.redhat.com/errata/RHSA-2013-0220.html
- http://rhn.redhat.com/errata/RHSA-2013-0544.html
- http://security.gentoo.org/glsa/glsa-201401-22.xml
- https://github.com/rails/rails/commit/9de9b359d0d24f70f0f6c5c58a7ad8750684d456
- http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
- https://github.com/advisories/GHSA-gh2w-j7cx-2664