SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

Created by: kirantpatil

SQL Injection Vulnerability in Ruby on Rails

There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664.

Versions Affected: All. Not affected: NONE. Fixed Versions: 3.2.10, 3.1.9, 3.0.18

Impact

Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.

All users running an affected release should either upgrade or use one of the work arounds immediately.

For more information: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM

Created by: m4tthumphrey

Has been fixed in Rails. http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/#.UOV2N2_eT_8

By Administrator on 2013-01-03T12:20:10 (imported from GitLab)

Created by: mathgl67

It seem to be fixed in de05a598 for the master branch. Can it be backported in the 4-0-stable branch ?

By Administrator on 2013-01-05T20:30:55 (imported from GitLab)