SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)
Created by: kirantpatil
SQL Injection Vulnerability in Ruby on Rails
There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664.
Versions Affected: All. Not affected: NONE. Fixed Versions: 3.2.10, 3.1.9, 3.0.18
Impact
Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.
All users running an affected release should either upgrade or use one of the work arounds immediately.
For more information: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM