Vulnerability Database
289,784
Total vulnerabilities in the database
CVE-2012-2660
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
| Software | From | Fixed in |
|---|---|---|
| rubyonrails / ruby_on_rails | 3.0.4 | 3.0.4.x |
| rubyonrails / rails | 3.0.0-beta | 3.0.0-beta.x |
| rubyonrails / rails | 3.0.0-beta2 | 3.0.0-beta2.x |
| rubyonrails / rails | 3.0.0-beta3 | 3.0.0-beta3.x |
| rubyonrails / rails | 3.0.0-beta4 | 3.0.0-beta4.x |
| rubyonrails / rails | 3.0.0-rc | 3.0.0-rc.x |
| rubyonrails / rails | 3.0.0-rc2 | 3.0.0-rc2.x |
| rubyonrails / rails | 3.0.1-pre | 3.0.1-pre.x |
| rubyonrails / rails | 3.0.2-pre | 3.0.2-pre.x |
| rubyonrails / rails | 3.0.0 | 3.0.0.x |
| rubyonrails / rails | 3.0.10-rc1 | 3.0.10-rc1.x |
| rubyonrails / rails | 3.0.10 | 3.0.10.x |
| rubyonrails / rails | 3.0.12-rc1 | 3.0.12-rc1.x |
| rubyonrails / rails | 3.0.12 | 3.0.12.x |
| rubyonrails / rails | 3.0.13-rc1 | 3.0.13-rc1.x |
| rubyonrails / rails | 3.0.1 | 3.0.1.x |
| rubyonrails / rails | 3.0.2 | 3.0.2.x |
| rubyonrails / rails | 3.0.3 | 3.0.3.x |
| rubyonrails / rails | 3.0.11 | 3.0.11.x |
| rubyonrails / rails | 3.0.4-rc1 | 3.0.4-rc1.x |
| rubyonrails / rails | 3.0.5 | 3.0.5.x |
| rubyonrails / rails | 3.0.5-rc1 | 3.0.5-rc1.x |
| rubyonrails / rails | 3.0.6-rc1 | 3.0.6-rc1.x |
| rubyonrails / rails | 3.0.6-rc2 | 3.0.6-rc2.x |
| rubyonrails / rails | 3.0.6 | 3.0.6.x |
| rubyonrails / rails | 3.0.7-rc1 | 3.0.7-rc1.x |
| rubyonrails / rails | 3.0.7-rc2 | 3.0.7-rc2.x |
| rubyonrails / rails | 3.0.7 | 3.0.7.x |
| rubyonrails / rails | 3.0.8-rc1 | 3.0.8-rc1.x |
| rubyonrails / rails | 3.0.8-rc2 | 3.0.8-rc2.x |
| rubyonrails / rails | 3.0.8-rc3 | 3.0.8-rc3.x |
| rubyonrails / rails | 3.0.8-rc4 | 3.0.8-rc4.x |
| rubyonrails / rails | 3.0.8 | 3.0.8.x |
| rubyonrails / rails | 3.0.9-rc1 | 3.0.9-rc1.x |
| rubyonrails / rails | 3.0.9-rc2 | 3.0.9-rc2.x |
| rubyonrails / rails | 3.0.9-rc3 | 3.0.9-rc3.x |
| rubyonrails / rails | 3.0.9-rc4 | 3.0.9-rc4.x |
| rubyonrails / rails | 3.0.9 | 3.0.9.x |
| rubyonrails / rails | 3.0.9-rc5 | 3.0.9-rc5.x |
| rubyonrails / rails | 3.1.0-beta1 | 3.1.0-beta1.x |
| rubyonrails / rails | 3.1.0-rc1 | 3.1.0-rc1.x |
| rubyonrails / rails | 3.1.0-rc2 | 3.1.0-rc2.x |
| rubyonrails / rails | 3.1.0-rc3 | 3.1.0-rc3.x |
| rubyonrails / rails | 3.1.0-rc4 | 3.1.0-rc4.x |
| rubyonrails / rails | 3.1.0-rc5 | 3.1.0-rc5.x |
| rubyonrails / rails | 3.1.0-rc6 | 3.1.0-rc6.x |
| rubyonrails / rails | 3.1.0-rc7 | 3.1.0-rc7.x |
| rubyonrails / rails | 3.1.0 | 3.1.0.x |
| rubyonrails / rails | 3.1.0-rc8 | 3.1.0-rc8.x |
| rubyonrails / rails | 3.1.1-rc1 | 3.1.1-rc1.x |
| rubyonrails / rails | 3.1.1-rc2 | 3.1.1-rc2.x |
| rubyonrails / rails | 3.1.1 | 3.1.1.x |
| rubyonrails / rails | 3.1.1-rc3 | 3.1.1-rc3.x |
| rubyonrails / rails | 3.1.2-rc1 | 3.1.2-rc1.x |
| rubyonrails / rails | 3.1.2-rc2 | 3.1.2-rc2.x |
| rubyonrails / rails | 3.1.2 | 3.1.2.x |
| rubyonrails / rails | 3.1.4 | 3.1.4.x |
| rubyonrails / rails | 3.1.4-rc1 | 3.1.4-rc1.x |
| rubyonrails / rails | 3.1.5-rc1 | 3.1.5-rc1.x |
| rubyonrails / rails | 3.1.3 | 3.1.3.x |
| rubyonrails / rails | 3.2.0-rc1 | 3.2.0-rc1.x |
| rubyonrails / rails | 3.2.0-rc2 | 3.2.0-rc2.x |
| rubyonrails / rails | 3.2.0 | 3.2.0.x |
| rubyonrails / rails | 3.2.1 | 3.2.1.x |
| rubyonrails / rails | 3.2.2-rc1 | 3.2.2-rc1.x |
| rubyonrails / rails | 3.2.2 | 3.2.2.x |
| rubyonrails / rails | 3.2.3-rc1 | 3.2.3-rc1.x |
| rubyonrails / rails | 3.2.3 | 3.2.3.x |
| rubyonrails / rails | 3.2.3-rc2 | 3.2.3-rc2.x |
| rubyonrails / rails | 3.2.4-rc1 | 3.2.4-rc1.x |
actionpack
|
- | 3.0.13 |
|
actionpack
|
3.1.0 | 3.1.5 |
|
actionpack
|
3.2.0 | 3.2.4 |
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html
- http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
- https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain