The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Cloudforms Cloudengine
  • 1
Redhat
  • Openshift
Rhel Sam
  • 1.1
Rubyonrails
  • Rails
  • Ruby On Rails

Configuration 1 [-]

OR cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*
Package CPE Advisory Released Date
CloudForms for RHEL 6
converge-ui-devel-0:1.0.4-1.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
puppet-0:2.6.17-2.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-actionpack-1:3.0.10-10.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-activerecord-1:3.0.10-6.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-activesupport-1:3.0.10-4.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-chunky_png-0:1.2.0-3.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-compass-0:0.11.5-2.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-compass-960-plugin-0:0.10.4-2.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-delayed_job-0:2.1.4-2.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-ldap_fluff-0:0.1.3-1.el6_3 cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-mail-0:2.3.0-3.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
rubygem-net-ldap-0:0.1.1-3.el6cf cpe:/a:cloudforms_cloudengine:1::el6 RHSA-2012:1542 2012-12-04T00:00:00Z
Red Hat Subscription Asset Manager 1.1
rubygem-actionpack-1:3.0.10-11.el6cf cpe:/a:rhel_sam:1.1::el6 RHSA-2013:0154 2013-01-10T00:00:00Z
rubygem-activerecord-1:3.0.10-8.el6cf cpe:/a:rhel_sam:1.1::el6 RHSA-2013:0154 2013-01-10T00:00:00Z
rubygem-activesupport-1:3.0.10-5.el6cf cpe:/a:rhel_sam:1.1::el6 RHSA-2013:0154 2013-01-10T00:00:00Z
RHEL 6 Version of OpenShift Enterprise
graphviz-0:2.26.0-10.el6 cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-console-0:0.0.16-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-broker-0:1.0.11-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-broker-util-0:1.0.15-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-cron-1.4-0:1.0.3-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-diy-0.1-0:1.0.3-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-haproxy-1.4-0:1.0.4-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-jbosseap-6.0-0:1.0.4-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-jbossews-1.0-0:1.0.13-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-jenkins-1.4-0:1.0.2-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-jenkins-client-1.4-0:1.0.2-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-mysql-5.1-0:1.0.5-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-perl-5.10-0:1.0.3-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-php-5.3-0:1.0.5-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-postgresql-8.4-0:1.0.3-2.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-ruby-1.8-0:1.0.7-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-cartridge-ruby-1.9-scl-0:1.0.8-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
openshift-origin-msg-node-mcollective-0:1.0.3-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
php-0:5.3.3-22.el6 cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
ruby193-ruby-0:1.9.3.327-25.el6 cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
ruby193-rubygem-actionpack-1:3.2.8-3.el6 cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
ruby193-rubygem-activemodel-0:3.2.8-2.el6 cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
ruby193-rubygem-activerecord-1:3.2.8-3.el6 cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
ruby193-rubygem-railties-0:3.2.8-2.el6 cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
ruby193-rubygem-ruby_parser-0:2.3.1-3.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-actionpack-1:3.0.13-4.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-activemodel-0:3.0.13-3.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-activerecord-1:3.0.13-5.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-bson-0:1.8.1-2.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-mongo-0:1.8.1-2.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-openshift-origin-auth-remote-user-0:1.0.5-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-openshift-origin-console-0:1.0.10-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-openshift-origin-controller-0:1.0.12-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-openshift-origin-node-0:1.0.11-1.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
rubygem-ruby_parser-0:2.0.4-6.el6op cpe:/a:redhat:openshift:1::el6 RHSA-2013:0582 2013-02-28T00:00:00Z
References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0154.html cve-icon cve-icon
https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2012-2661 cve-icon
https://www.cve.org/CVERecord?id=CVE-2012-2661 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-06-22T14:00:00

Updated: 2024-08-06T19:42:31.596Z

Reserved: 2012-05-14T00:00:00

Link: CVE-2012-2661

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2012-06-22T14:55:01.067

Modified: 2019-08-08T15:42:45.623

Link: CVE-2012-2661

cve-icon Redhat

Severity : Low

Publid Date: 2012-05-31T00:00:00Z

Links: CVE-2012-2661 - Bugzilla