1. Home
  2. CVE Database
  3. CVE-2012-6496
HIGH · 7.5

CVE-2012-6496

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a c...

Vulnerability Description

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL

Affected Products

VendorProductVersions
RubyonrailsRails3.1.0
RubyonrailsRuby On Rails<= 3.0.17

Related Weaknesses (CWE)

CWE-89

References

FAQ

What is CVE-2012-6496?

CVE-2012-6496 is a vulnerability with a CVSS score of 7.5 (HIGH). SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a c...

How severe is CVE-2012-6496?

CVE-2012-6496 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2012-6496?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails, Rubyonrails Ruby On Rails.