ADVISORIES
- CVE-2012-6496 (NVD)
- GHSA-gh2w-j7cx-2664
- OSVDB-88661
- Vendor Advisory
GEM
FRAMEWORK
SEVERITY
CVSS v2.0: 6.4 (Medium)
PATCHED VERSIONS
- ~> 3.0.18
- ~> 3.1.9
- >= 3.2.10
DESCRIPTION
Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.