RubySec

Providing security resources for the Ruby community

CVE-2012-6496 (activerecord): Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

SEVERITY

CVSS v2: 6.4

PATCHED VERSIONS

  • ~> 3.0.18
  • ~> 3.1.9
  • >= 3.2.10

DESCRIPTION

Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.