RubySec

Providing security resources for the Ruby community

CVE-2012-2661 (activerecord): Ruby on Rails where Method ActiveRecord Class SQL Injection

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

SEVERITY

CVSS v2: 5.0

UNAFFECTED VERSIONS

  • ~> 2.3.14

PATCHED VERSIONS

  • ~> 3.0.13
  • ~> 3.1.5
  • >= 3.2.4

DESCRIPTION

Ruby on Rails (RoR) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ActiveRecord class not properly sanitizing user-supplied input to the ‘where’ method. This may allow an attacker to inject or manipulate SQL queries in an application built on RoR, allowing for the manipulation or disclosure of arbitrary data.