Ruby on Rails CVE-2012-2660 SQL Injection Vulnerability
BID:53754
Info
Ruby on Rails CVE-2012-2660 SQL Injection Vulnerability
| Bugtraq ID: | 53754 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-2660 |
| Remote: | Yes |
| Local: | No |
| Published: | May 31 2012 12:00AM |
| Updated: | Mar 19 2015 08:31AM |
| Credit: | Ben Murphy |
| Vulnerable: |
SuSE WebYaST 1.2 SuSE SUSE Linux Enterprise SDK 11 SP2 SuSE SUSE Linux Enterprise SDK 11 SP1 SuSE Studio Standard Edition 1.2 SuSE Studio Onsite 1.2 SuSE Studio Extension for System z 1.2 SuSE openSUSE 12.1 SuSE openSUSE 11.4 Ruby on Rails Ruby on Rails 3.2.2 Ruby on Rails Ruby on Rails 3.1.4 Ruby on Rails Ruby on Rails 3.1.2 Ruby on Rails Ruby on Rails 3.0.12 Ruby on Rails Ruby on Rails 3.0.11 Ruby on Rails Ruby on Rails 3.0.6 Ruby on Rails Ruby on Rails 3.0.5 Ruby on Rails Ruby on Rails 3.0.4 Ruby on Rails Ruby on Rails 3.0.3 Ruby on Rails Ruby on Rails 3.0.2 Ruby on Rails Ruby on Rails 3.0.1 Ruby on Rails Ruby on Rails 3.0 Ruby on Rails Ruby on Rails 3.1.0.rc6 Ruby on Rails Ruby on Rails 3.1.0.rc5 Ruby on Rails Ruby on Rails 3.0.8 Ruby on Rails Ruby on Rails 3.0.7 Ruby on Rails Ruby on Rails 3.0.10 Red Hat Fedora 17 Red Hat Fedora 16 Red Hat Fedora 15 |
| Not Vulnerable: |
Ruby on Rails Ruby on Rails 3.2.4 Ruby on Rails Ruby on Rails 3.1.5 Ruby on Rails Ruby on Rails 3.0.13 |
Discussion
Ruby on Rails CVE-2012-2660 SQL Injection Vulnerability
Ruby on Rails is prone to an SQL-injection vulnerability.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The vulnerability is fixed in the following versions:
Ruby on Rails 3.2.4, 3.1.5, and 3.0.13
Ruby on Rails is prone to an SQL-injection vulnerability.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The vulnerability is fixed in the following versions:
Ruby on Rails 3.2.4, 3.1.5, and 3.0.13
Exploit / POC
Ruby on Rails CVE-2012-2660 SQL Injection Vulnerability
An attacker can use a browser to exploit this issue.
An attacker can use a browser to exploit this issue.
References
Ruby on Rails CVE-2012-2660 SQL Injection Vulnerability
References:
References:
- Moderate: Red Hat OpenShift Enterprise 1.1.1 update (Red Hat)
- Ruby on Rails Homepage (Ruby on Rails)
- Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660) (Ben Murphy)
- RHSA-2012:1542 (Red Hat)
- Security Bulletin: IBM Security Network Intrusion Prevention System can be affec (IBM)