GHSA-q34c-48gc-m9g8

Suggest an improvement
Source
https://github.com/advisories/GHSA-q34c-48gc-m9g8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-q34c-48gc-m9g8/GHSA-q34c-48gc-m9g8.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-q34c-48gc-m9g8
Aliases
  • CVE-2012-2694
Published
2017-10-24T18:33:38Z
Modified
2024-11-29T05:34:10.224880Z
Summary
actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request
Details

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain ['xyz', nil] values, a related issue to CVE-2012-2660.

Database specific
{
    "nvd_published_at": "2012-06-22T14:55:01Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:50:37Z"
}
References

Affected packages

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.14

Affected versions

0.*

0.9.0
0.9.5

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.5.1
1.6.0
1.7.0
1.8.0
1.8.1
1.9.0
1.9.1
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6

2.*

2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
2.2.2
2.2.3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8.pre1
2.3.8
2.3.9.pre
2.3.9
2.3.10
2.3.11
2.3.12
2.3.14
2.3.15
2.3.16
2.3.17
2.3.18

3.*

3.0.0.beta
3.0.0.beta2
3.0.0.beta3
3.0.0.beta4
3.0.0.rc
3.0.0.rc2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1
3.0.4
3.0.5.rc1
3.0.5
3.0.6.rc1
3.0.6.rc2
3.0.6
3.0.7.rc1
3.0.7.rc2
3.0.7
3.0.8.rc1
3.0.8.rc2
3.0.8.rc4
3.0.8
3.0.9.rc1
3.0.9.rc3
3.0.9.rc4
3.0.9.rc5
3.0.9
3.0.10.rc1
3.0.10
3.0.11
3.0.12.rc1
3.0.12
3.0.13.rc1
3.0.13

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.6

Affected versions

3.*

3.1.0
3.1.1.rc1
3.1.1.rc2
3.1.1.rc3
3.1.1
3.1.2.rc1
3.1.2.rc2
3.1.2
3.1.3
3.1.4.rc1
3.1.4
3.1.5.rc1
3.1.5

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.0
Fixed
3.2.6

Affected versions

3.*

3.2.0
3.2.1
3.2.2.rc1
3.2.2
3.2.3.rc1
3.2.3.rc2
3.2.3
3.2.4.rc1
3.2.4
3.2.5