actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
Metrics
Affected Vendors & Products
References
History
No history.

Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-06T19:42:31.885Z
Reserved: 2012-05-14T00:00:00
Link: CVE-2012-2660

No data.

Status : Deferred
Published: 2012-06-22T14:55:01.020
Modified: 2025-04-11T00:51:21.963
Link: CVE-2012-2660


No data.