Your submission was sent successfully! Close

CVE-2012-2660

Published: 22 June 2012

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694. There is a vulnerability when Active Record is used in conjunction with parameter parsing from Rack via Action Pack.

Priority

Low

Status

Package Release Status
rails
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(contains no code)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [contains no code])
ruby-rails-2.3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist