FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygem-rails -- SQL injection vulnerability

Affected packages
rubygem-rails < 3.2.10

Details

VuXML ID b4051b52-58fa-11e2-853b-00262d5ed8ee
Discovery 2013-01-02
Entry 2013-01-07

Ruby on Rails team reports:

There is a SQL injection vulnerability in Active Record in ALL versions. Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.

References

CVE Name CVE-2012-5664
URL https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM