GHSA-hgpp-pp89-4fgf

Suggest an improvement
Source
https://github.com/advisories/GHSA-hgpp-pp89-4fgf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-hgpp-pp89-4fgf/GHSA-hgpp-pp89-4fgf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hgpp-pp89-4fgf
Aliases
  • CVE-2012-2660
Published
2017-10-24T18:33:38Z
Modified
2024-02-16T08:16:08.963251Z
Summary
Action Pack contains database-query restrictions bypass
Details

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain [nil] values, a related issue to CVE-2012-2694.

References

Affected packages

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.13

Affected versions

0.*

0.9.0
0.9.5

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.5.1
1.6.0
1.7.0
1.8.0
1.8.1
1.9.0
1.9.1
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6

2.*

2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
2.2.2
2.2.3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8.pre1
2.3.8
2.3.9.pre
2.3.9
2.3.10
2.3.11
2.3.12
2.3.14
2.3.15
2.3.16
2.3.17
2.3.18

3.*

3.0.0.beta
3.0.0.beta2
3.0.0.beta3
3.0.0.beta4
3.0.0.rc
3.0.0.rc2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1
3.0.4
3.0.5.rc1
3.0.5
3.0.6.rc1
3.0.6.rc2
3.0.6
3.0.7.rc1
3.0.7.rc2
3.0.7
3.0.8.rc1
3.0.8.rc2
3.0.8.rc4
3.0.8
3.0.9.rc1
3.0.9.rc3
3.0.9.rc4
3.0.9.rc5
3.0.9
3.0.10.rc1
3.0.10
3.0.11
3.0.12.rc1
3.0.12
3.0.13.rc1

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.5

Affected versions

3.*

3.1.0
3.1.1.rc1
3.1.1.rc2
3.1.1.rc3
3.1.1
3.1.2.rc1
3.1.2.rc2
3.1.2
3.1.3
3.1.4.rc1
3.1.4
3.1.5.rc1

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.0
Fixed
3.2.4

Affected versions

3.*

3.2.0
3.2.1
3.2.2.rc1
3.2.2
3.2.3.rc1
3.2.3.rc2
3.2.3
3.2.4.rc1