CVE-2012-6496 – activerecord

Package

Manager: gem
Name: activerecord
Vulnerable Version: >=3.0.0.beta <3.0.18 || >=3.1.0 <3.1.9 || >=3.2.0 <3.2.10 || >=0 <2.3.15

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02213 pctl0.8384

Details

Active Record contains SQL Injection SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

Metadata

Created: 2017-10-24T18:33:37Z
Modified: 2025-01-21T16:47:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-gh2w-j7cx-2664/GHSA-gh2w-j7cx-2664.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-gh2w-j7cx-2664
Finding: F297
Auto approve: 1