Skip to navigation

CVE Database

CVE-2012-6496

Impact: Moderate
Public: 2012-12-21
Bugzilla: 889649: CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection

Details

The MITRE CVE dictionary describes this issue as:

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

Find out more about CVE-2012-6496 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 6.4
Base Metrics: AV:N/AC:L/Au:N/C:N/I:P/A:P
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
CloudForms System Engine for RHEL 6 Server RHSA-2013:0155 January 10, 2013
Red Hat OpenShift Enterprise Client Tools RHSA-2013:0220 January 31, 2013
Red Hat Subscription Asset Manager for RHEL 6 Server RHSA-2013:0154 January 10, 2013

External References

http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.