GHSA-gh2w-j7cx-2664

Source

https://github.com/advisories/GHSA-gh2w-j7cx-2664

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-gh2w-j7cx-2664/GHSA-gh2w-j7cx-2664.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gh2w-j7cx-2664

Aliases

CVE-2012-6496

Published

2017-10-24T18:33:37Z

Modified

2024-12-05T05:23:07.975794Z

Summary

Active Record contains SQL Injection

Details

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain findby method calls.

Database specific

{
    "nvd_published_at": "2013-01-04T04:46:02Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:37:20Z"
}

References

Affected packages

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.18

Affected versions

1.*

1.0.0

1.1.0

1.2.0

1.3.0

1.4.0

1.5.0

1.5.1

1.6.0

1.7.0

1.8.0

1.9.0

1.9.1

1.10.0

1.10.1

1.11.0

1.11.1

1.12.1

1.12.2

1.13.0

1.13.1

1.13.2

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

2.*

2.0.0

2.0.1

2.0.2

2.0.4

2.0.5

2.1.0

2.1.1

2.1.2

2.2.2

2.2.3

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8.pre1

2.3.8

2.3.9.pre

2.3.9

2.3.10

2.3.11

2.3.12

2.3.14

2.3.15

2.3.16

2.3.17

2.3.18

3.*

3.0.0.beta

3.0.0.beta2

3.0.0.beta3

3.0.0.beta4

3.0.0.rc

3.0.0.rc2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4.rc1

3.0.4

3.0.5.rc1

3.0.5

3.0.6.rc1

3.0.6.rc2

3.0.6

3.0.7.rc1

3.0.7.rc2

3.0.7

3.0.8.rc1

3.0.8.rc2

3.0.8.rc4

3.0.8

3.0.9.rc1

3.0.9.rc3

3.0.9.rc4

3.0.9.rc5

3.0.9

3.0.10.rc1

3.0.10

3.0.11

3.0.12.rc1

3.0.12

3.0.13.rc1

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.9

Affected versions

3.*

3.1.0

3.1.1.rc1

3.1.1.rc2

3.1.1.rc3

3.1.1

3.1.2.rc1

3.1.2.rc2

3.1.2

3.1.3

3.1.4.rc1

3.1.4

3.1.5.rc1

3.1.5

3.1.6

3.1.7

3.1.8

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.10

Affected versions

3.*

3.2.0

3.2.1

3.2.2.rc1

3.2.2

3.2.3.rc1

3.2.3.rc2

3.2.3

3.2.4.rc1

3.2.4

3.2.5

3.2.6

3.2.7.rc1

3.2.7

3.2.8.rc1

3.2.8.rc2

3.2.8

3.2.9.rc1

3.2.9.rc2

3.2.9.rc3

3.2.9