CVE-2012-6497 — Authlogic Information Exposure vulnerability

Description

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.

How to fix CVE-2012-6497

To remediate CVE-2012-6497, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2.3.14.1 or later
—upgrade to 3.3.0 or later

Is CVE-2012-6497 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.14.1
from 0, < 3.3.0

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6497
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-6497
PATCHgithub.com/binarylogic/authlogic
WEBblog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts