CVE-2012-2661 — Active Record vulnerable to SQL Injection via nested query parameters

Description

The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.

How to fix CVE-2012-2661

To remediate CVE-2012-2661, upgrade the affected package to a fixed version below.

RubyGems/activerecord—upgrade to 3.0.13 or later

Is CVE-2012-2661 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.0.0, < 3.0.13

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-2661
WEBlists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html
WEBlists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html
WEBlists.opensuse.org/opensuse-updates/2012-08/msg00046.html