GHSA-76wq-xw4h-f8wj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-76wq-xw4h-f8wj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-76wq-xw4h-f8wj/GHSA-76wq-xw4h-f8wj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-76wq-xw4h-f8wj
- Aliases
-
- CVE-2012-2695
- Published
- 2017-10-24T18:33:38Z
- Modified
- 2024-11-29T05:45:19.969558Z
- Summary
- activerecord vulnerable to SQL Injection
- Details
-
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.
- Database specific
{ "nvd_published_at": "2012-06-22T14:55:01Z", "cwe_ids": [ "CWE-89" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:21:41Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2012-2695
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2695.yml
- https://groups.google.com/g/rubyonrails-security/c/l4L0TEVAz1k/m/Vr84sD9B464J
- https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html
- http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
Affected packages
RubyGems / activerecord
Package
- Name
- activerecord
- Purl
- pkg:gem/activerecord
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.0.14
Affected versions
1.*
1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.5.1
1.6.0
1.7.0
1.8.0
1.9.0
1.9.1
1.10.0
1.10.1
1.11.0
1.11.1
1.12.1
1.12.2
1.13.0
1.13.1
1.13.2
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.15.0
1.15.1
1.15.2
1.15.3
1.15.4
1.15.5
1.15.6
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
2.2.2
2.2.3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8.pre1
2.3.8
2.3.9.pre
2.3.9
2.3.10
2.3.11
2.3.12
2.3.14
2.3.15
2.3.16
2.3.17
2.3.18
3.*
3.0.0.beta
3.0.0.beta2
3.0.0.beta3
3.0.0.beta4
3.0.0.rc
3.0.0.rc2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1
3.0.4
3.0.5.rc1
3.0.5
3.0.6.rc1
3.0.6.rc2
3.0.6
3.0.7.rc1
3.0.7.rc2
3.0.7
3.0.8.rc1
3.0.8.rc2
3.0.8.rc4
3.0.8
3.0.9.rc1
3.0.9.rc3
3.0.9.rc4
3.0.9.rc5
3.0.9
3.0.10.rc1
3.0.10
3.0.11
3.0.12.rc1
3.0.12
3.0.13.rc1
3.0.13
RubyGems / activerecord
Package
- Name
- activerecord
- Purl
- pkg:gem/activerecord
RubyGems / activerecord
Package
- Name
- activerecord
- Purl
- pkg:gem/activerecord