CVE-2012-6497: Remote attacker can conduct SQL injection attacks

January 3, 2013 (updated August 8, 2019)

Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered when the program makes an unsafe method call for find_by_id. With a specially crafted parameter in an environment that knows the secret_token value in secret_token.rb, a remote attacker to more easily conduct SQL injection attacks.

References

github.com/binarylogic/authlogic/commit/1d57a6c4abe43a3c0b4ef578486ea00e1f7a9873
github.com/rubysec/ruby-advisory-db/blob/master/gems/authlogic/OSVDB-89064.yml

Detect and mitigate CVE-2012-6497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →