CVE-2012-6497

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/	Exploit
http://openwall.com/lists/oss-security/2013/01/03/12	Mailing List Third Party Advisory
http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html	Broken Link Exploit
http://www.securityfocus.com/bid/57084	Broken Link Third Party Advisory VDB Entry
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/	Exploit
http://openwall.com/lists/oss-security/2013/01/03/12	Mailing List Third Party Advisory
http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html	Broken Link Exploit
http://www.securityfocus.com/bid/57084	Broken Link Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

History

21 Nov 2024, 01:46

Type	Values Removed	Values Added
References	~~() http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ - Exploit~~	() http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ - Exploit
References	~~() http://openwall.com/lists/oss-security/2013/01/03/12 - Mailing List, Third Party Advisory~~	() http://openwall.com/lists/oss-security/2013/01/03/12 - Mailing List, Third Party Advisory
References	~~() http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html - Broken Link, Exploit~~	() http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html - Broken Link, Exploit
References	~~() http://www.securityfocus.com/bid/57084 - Broken Link, Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/57084 - Broken Link, Third Party Advisory, VDB Entry

19 May 2023, 16:52

Type	Values Removed	Values Added
CWE	~~CWE-200~~	CWE-89
CPE	cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:::::: cpe:2.3:a:rubyonrails:rails:0.12.1:::::::* cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:::::::* cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:::::: cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:::::: cpe:2.3:a:rubyonrails:rails:2.2.2:::::::* cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:::::: cpe:2.3:a:rubyonrails:rails:2.3.10:::::::* cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.0.1:pre:::::: cpe:2.3:a:rubyonrails:rails:1.1.5:::::::* cpe:2.3:a:rubyonrails:rails:2.0.2:::::::* cpe:2.3:a:rubyonrails:rails:2.0.0:::::::* cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:::::: cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:::::: cpe:2.3:a:rubyonrails:rails:1.2.0:::::::* cpe:2.3:a:rubyonrails:rails:3.0.0:rc:::::: cpe:2.3:a:rubyonrails:rails:0.14.1:::::::* cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:::::: cpe:2.3:a:rubyonrails:rails:1.2.1:::::::* cpe:2.3:a:rubyonrails:rails:3.2.8:::::::* cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:::::: cpe:2.3:a:rubyonrails:rails:0.13.0:::::::* cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:::::: cpe:2.3:a:rubyonrails:rails:2.3.9:::::::* cpe:2.3:a:rubyonrails:rails:3.1.1:::::::* cpe:2.3:a:rubyonrails:rails:3.1.3:::::::* cpe:2.3:a:rubyonrails:rails:3.1.8:::::::* cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:::::: cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:::::: cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:::::: cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:::::::* cpe:2.3:a:rubyonrails:rails:0.9.3:::::::* cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:::::: cpe:2.3:a:rubyonrails:rails:3.2.1:::::::* cpe:2.3:a:rubyonrails:rails:0.9.4.1:::::::* cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:::::: cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:::::: cpe:2.3:a:rubyonrails:rails:1.1.3:::::::* cpe:2.3:a:rubyonrails:rails:3.1.4:::::::* cpe:2.3:a:rubyonrails:rails:2.3.3:::::::* cpe:2.3:a:rubyonrails:rails:3.2.2:::::::* cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:::::: cpe:2.3:a:rubyonrails:rails:3.1.7:::::::* cpe:2.3:a:rubyonrails:rails:2.1.2:::::::* cpe:2.3:a:rubyonrails:rails:3.0.16:::::::* cpe:2.3:a:rubyonrails:rails:1.1.1:::::::* cpe:2.3:a:rubyonrails:rails:0.14.2:::::::* cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:::::::* cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:::::::* cpe:2.3:a:rubyonrails:rails:1.2.6:::::::* cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:::::: cpe:2.3:a:rubyonrails:rails:3.0.3:::::::* cpe:2.3:a:rubyonrails:rails:3.0.8:::::::* cpe:2.3:a:rubyonrails:rails:1.1.6:::::::* cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:::::::* cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:::::: cpe:2.3:a:rubyonrails:rails:0.14.3:::::::* cpe:2.3:a:rubyonrails:rails:0.9.4:::::::* cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.0.6:::::::* cpe:2.3:a:rubyonrails:rails:2.2.0:::::::* cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.2.0:::::::* cpe:2.3:a:rubyonrails:rails:2.2.1:::::::* cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:::::: cpe:2.3:a:rubyonrails:rails:0.11.0:::::::* cpe:2.3:a:rubyonrails:rails:1.0.0:::::::* cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:::::: cpe:2.3:a:rubyonrails:rails:0.14.4:::::::* cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:::::: cpe:2.3:a:rubyonrails:rails:3.0.12:::::::* cpe:2.3:a:rubyonrails:rails:2.0.4:::::::* cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:::::: cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:::::::* cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:::::: cpe:2.3:a:rubyonrails:rails:3.0.13:::::::* cpe:2.3:a:rubyonrails:rails:2.0.1:::::::* cpe:2.3:a:rubyonrails:rails:3.2.3:::::::* cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:::::: cpe:2.3:a:rubyonrails:rails:3.1.0:::::::* cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.1.6:::::::* cpe:2.3:a:rubyonrails:rails:3.2.7:::::::* cpe:2.3:a:rubyonrails:rails:3.0.2:pre:::::: cpe:2.3:a:rubyonrails:rails:2.3.4:::::::* cpe:2.3:a:rubyonrails:rails:1.2.5:::::::* cpe:2.3:a:rubyonrails:rails:1.2.4:::::::* cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:::::: cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:::::::* cpe:2.3:a:rubyonrails:rails:2.3.11:::::::* cpe:2.3:a:rubyonrails:rails:3.0.14:::::::* cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:::::: cpe:2.3:a:rubyonrails:rails:0.13.1:::::::* cpe:2.3:a:rubyonrails:rails:0.12.0:::::::* cpe:2.3:a:rubyonrails:rails:3.1.2:::::::* cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:::::: cpe:2.3:a:rubyonrails:rails:3.0.11:::::::* cpe:2.3:a:rubyonrails:rails:3.0.1:::::::* cpe:2.3:a:rubyonrails:rails:1.9.5:::::::* cpe:2.3:a:rubyonrails:rails:0.9.2:::::::* cpe:2.3:a:rubyonrails:rails:3.0.17:::::::* cpe:2.3:a:rubyonrails:rails:1.1.4:::::::* cpe:2.3:a:rubyonrails:rails:3.1.5:::::::* cpe:2.3:a:rubyonrails:rails:1.1.2:::::::* cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:::::: cpe:2.3:a:rubyonrails:rails:2.1.0:::::::* cpe:2.3:a:rubyonrails:rails:3.0.0:::::::* cpe:2.3:a:rubyonrails:rails:0.11.1:::::::* cpe:2.3:a:rubyonrails:rails:3.0.10:::::::* cpe:2.3:a:rubyonrails:rails:1.2.3:::::::* cpe:2.3:a:rubyonrails:rails:0.9.1:::::::* cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:::::: cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:::::: cpe:2.3:a:rubyonrails:rails:3.0.5:::::::* cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:::::: cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:::::::* cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:::::::* cpe:2.3:a:rubyonrails:rails:3.2.6:::::::* cpe:2.3:a:rubyonrails:rails:3.2.4:::::::* cpe:2.3:a:rubyonrails:rails:3.0.7:::::::* cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.0.9:::::::* cpe:2.3:a:rubyonrails:rails:2.1.1:::::::* cpe:2.3:a:rubyonrails:rails:3.2.5:::::::* cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:::::: cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:::::: cpe:2.3:a:rubyonrails:rails:0.10.1:::::::* cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:::::::* cpe:2.3:a:rubyonrails:rails:3.0.0:beta:::::: cpe:2.3:a:rubyonrails:rails:2.3.2:::::::* cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:::::: cpe:2.3:a:rubyonrails:rails:2.3.12:::::::* cpe:2.3:a:rubyonrails:rails:1.1.0:::::::* cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:::::::* cpe:2.3:a:rubyonrails:rails:1.2.2:::::::* cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:::::: cpe:2.3:a:rubyonrails:rails:3.0.2:::::::* cpe:2.3:a:rubyonrails:rails:0.10.0:::::::* cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:::::: cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:::::: cpe:2.3:a:rubyonrails:ruby_on_rails::::::::	cpe:2.3:a:rubyonrails:rails::::::::
References	~~(BID) http://www.securityfocus.com/bid/57084 -~~	(BID) http://www.securityfocus.com/bid/57084 - Broken Link, Third Party Advisory, VDB Entry
References	~~(MISC) http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html - Exploit~~	(MISC) http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html - Broken Link, Exploit
References	~~(MLIST) http://openwall.com/lists/oss-security/2013/01/03/12 -~~	(MLIST) http://openwall.com/lists/oss-security/2013/01/03/12 - Mailing List, Third Party Advisory

Information

Published : 2013-01-04 04:46

Updated : 2024-11-21 01:46

NVD link : CVE-2012-6497

Mitre link : CVE-2012-6497

CVE.ORG link : CVE-2012-6497

JSON object : View

Products Affected

rubyonrails

rails

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

5.0 /10