CVE-2012-2660: SQL Injection

June 22, 2012 (updated August 8, 2019)

Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary IS NULL clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for NULL in arbitrary places.

References

github.com/rails/rails/commit/dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d
github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/OSVDB-82610.yml
groups.google.com/forum/

Detect and mitigate CVE-2012-2660 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →