RubySec

Providing security resources for the Ruby community

CVE-2012-2660 (activerecord): Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query Arbitrary IS NULL Clause Injection

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

SEVERITY

CVSS v2: 7.5

PATCHED VERSIONS

  • ~> 3.0.13
  • ~> 3.1.5
  • >= 3.2.4

DESCRIPTION

Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary ‘IS NULL’ clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for NULL in arbitrary places.