4.3
CVSSv2

CVE-2012-2694

Published: 22/06/2012 Updated: 08/08/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails prior to 3.0.14, 3.1.x prior to 3.1.6, and 3.2.x prior to 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote malicious users to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.

Affected Products

Vendor Product Versions
RubyonrailsRails3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5
RubyonrailsRuby On Rails3.0.4, 3.0.13

Vendor Advisories

Synopsis Critical: Ruby on Rails security update Type/Severity Security Advisory: Critical Topic Updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecordpackages that fix multiple security issues are now available for Red HatSubscription Asset ManagerThe Red Hat Security Response Team ha ...
Synopsis Moderate: Red Hat OpenShift Enterprise 111 update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Enterprise 111 is now availableThe Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerability Scoring System (CVSS) base scores, ...

Github Repositories

This repo has a dependency which is associated with this CVE-2016-6317 Action Record in Ruby on Rails 42x before 4271 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE claus