CVE-2012-6496 — rails - input validation error

Description

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

How to fix CVE-2012-6496

To remediate CVE-2012-6496, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2.3.14.1 or later
Debian/rails—upgrade to 2.3.5-1.2+squeeze4 or later
—upgrade to 3.0.18 or later

Is CVE-2012-6496 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.3.14.1
from 0, < 2.3.5-1.2+squeeze4
>= 3.0.0.beta, < 3.0.18

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6496
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-6496
PATCHgithub.com/rails/rails
WEBblog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts