Vulnerability Name:

CVE-2012-2660 (CCN-76015)

Assigned:2012-05-31
Published:2012-05-31
Updated:2019-08-08
Summary:actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
5.6 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-264
Vulnerability Consequences:Data Manipulation
References:Source: MITRE
Type: CNA
CVE-2012-2660

Source: CCN
Type: Ruby on Rails Web Site
Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2012:0978

Source: SUSE
Type: UNKNOWN
SUSE-SU-2012:1012

Source: SUSE
Type: UNKNOWN
SUSE-SU-2012:1014

Source: SUSE
Type: UNKNOWN
SUSE-SU-2012:1015

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2012:1066

Source: CCN
Type: RHSA-2012-1542
Moderate: CloudForms Commons 1.1 security update

Source: CCN
Type: RHSA-2013-0154
Critical: Ruby on Rails security update

Source: REDHAT
Type: UNKNOWN
RHSA-2013:0154

Source: CCN
Type: RHSA-2013-0582
Moderate: Red Hat OpenShift Enterprise 1.1.1 update

Source: CCN
Type: SA49297
Ruby on Rails Nested Query Parameters SQL Injection Vulnerability

Source: CCN
Type: IBM Security Bulletin 1626255
IBM Security Network Intrusion Prevention System can be affected by vulnerabilities in Ruby on Rails (CVE-2012-2660, CVE-2012-2694, CVE-2013-0156, CVE-2012-6496, CVE-2012-3424, and CVE-2012-2695)

Source: CCN
Type: IBM Security Bulletin 1626515
IBM Security Network Protection can be affected by vulnerabilities in Ruby on Rails (CVE-2012-2660, CVE-2012-2694, CVE-2013-0155, CVE-2013-0156, CVE-2012-6496, CVE-2012-3424, and CVE-2012-2695)

Source: CCN
Type: OSVDB ID: 82610
Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query Arbitrary IS NULL Clause Injection

Source: CCN
Type: BID-53754
Ruby on Rails CVE-2012-2660 SQL Injection Vulnerability

Source: XF
Type: UNKNOWN
rubyonrails-sql-injection(76015)

Source: MLIST
Type: Exploit
[rubyonrails-security] 20120531 Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.0.4:-:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*
  • OR cpe:/a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:26228
    P
    		Security update for ghostscript (Moderate)
    2022-01-14
    oval:org.opensuse.security:def:26217
    P
    		Security update for java-1_7_1-ibm (Moderate) (in QA)
    2022-01-04
    oval:org.opensuse.security:def:26181
    P
    		Security update for mozilla-nss (Important)
    2021-12-06
    oval:org.opensuse.security:def:26117
    P
    		Security update for xen (Important)
    2021-09-02
    oval:org.opensuse.security:def:26106
    P
    		Security update for libmspack (Moderate)
    2021-08-17
    oval:org.opensuse.security:def:26105
    P
    		Security update for MozillaFirefox (Important)
    2021-08-17
    oval:org.opensuse.security:def:20122660
    V
    		CVE-2012-2660
    2021-08-15
    oval:org.opensuse.security:def:36556
    P
    		rubygem-actionpack-3_2-3.2.12-0.19.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:26216
    P
    		Security update for MozillaFirefox (Important)
    2021-03-31
    oval:org.opensuse.security:def:26682
    P
    		cyrus-imapd on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26420
    P
    		Security update for phpMyAdmin (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26992
    P
    		mozilla-xulrunner192 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26784
    P
    		mono-core on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26558
    P
    		gnutls on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27665
    P
    		Security update for rubygem-activerecord
    2020-12-01
    oval:org.opensuse.security:def:26837
    P
    		vte on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26793
    P
    		openswan on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26390
    P
    		Security update for ark (Low)
    2020-12-01
    oval:org.opensuse.security:def:27519
    P
    		nagios on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26895
    P
    		findutils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26531
    P
    		coolkey on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26292
    P
    		Security update for the Linux Kernel (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26948
    P
    		libexiv2-4 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26735
    P
    		libMagickCore1-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26501
    P
    		Security update for chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:27630
    P
    		Security update for lcms
    2020-12-01
    oval:org.opensuse.security:def:26823
    P
    		star on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26642
    P
    		sysstat on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26309
    P
    		Security update for haproxy (Important)
    2020-12-01
    oval:org.opensuse.security:def:26881
    P
    		dbus-1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26846
    P
    		xterm on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26447
    P
    		Security update for pdns (Important)
    2020-12-01
    oval:org.opensuse.security:def:27554
    P
    		rubygem-actionpack-3_2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26934
    P
    		kvm on GA media (Moderate)
    2020-12-01
    oval:com.ubuntu.precise:def:20122660000
    V
    		CVE-2012-2660 on Ubuntu 12.04 LTS (precise) - low.
    2012-06-22
    oval:com.ubuntu.xenial:def:201226600000000
    V
    		CVE-2012-2660 on Ubuntu 16.04 LTS (xenial) - low.
    2012-06-22
    oval:com.ubuntu.trusty:def:20122660000
    V
    		CVE-2012-2660 on Ubuntu 14.04 LTS (trusty) - low.
    2012-06-22
    oval:com.ubuntu.xenial:def:20122660000
    V
    		CVE-2012-2660 on Ubuntu 16.04 LTS (xenial) - low.
    2012-06-22
    BACK
    rubyonrails rails 3.0.0
    rubyonrails rails 3.0.0 beta
    rubyonrails rails 3.0.0 beta2
    rubyonrails rails 3.0.0 beta3
    rubyonrails rails 3.0.0 beta4
    rubyonrails rails 3.0.0 rc
    rubyonrails rails 3.0.0 rc2
    rubyonrails rails 3.0.1
    rubyonrails rails 3.0.1 pre
    rubyonrails rails 3.0.2
    rubyonrails rails 3.0.2 pre
    rubyonrails rails 3.0.3
    rubyonrails rails 3.0.4 rc1
    rubyonrails rails 3.0.5
    rubyonrails rails 3.0.5 rc1
    rubyonrails rails 3.0.6
    rubyonrails rails 3.0.6 rc1
    rubyonrails rails 3.0.6 rc2
    rubyonrails rails 3.0.7
    rubyonrails rails 3.0.7 rc1
    rubyonrails rails 3.0.7 rc2
    rubyonrails rails 3.0.8
    rubyonrails rails 3.0.8 rc1
    rubyonrails rails 3.0.8 rc2
    rubyonrails rails 3.0.8 rc3
    rubyonrails rails 3.0.8 rc4
    rubyonrails rails 3.0.9
    rubyonrails rails 3.0.9 rc1
    rubyonrails rails 3.0.9 rc2
    rubyonrails rails 3.0.9 rc3
    rubyonrails rails 3.0.9 rc4
    rubyonrails rails 3.0.9 rc5
    rubyonrails rails 3.0.10
    rubyonrails rails 3.0.10 rc1
    rubyonrails rails 3.0.11
    rubyonrails rails 3.0.12
    rubyonrails rails 3.0.12 rc1
    rubyonrails rails 3.0.13 rc1
    rubyonrails ruby on rails 3.0.4
    rubyonrails rails 3.1.0
    rubyonrails rails 3.1.0 beta1
    rubyonrails rails 3.1.0 rc1
    rubyonrails rails 3.1.0 rc2
    rubyonrails rails 3.1.0 rc3
    rubyonrails rails 3.1.0 rc4
    rubyonrails rails 3.1.0 rc5
    rubyonrails rails 3.1.0 rc6
    rubyonrails rails 3.1.0 rc7
    rubyonrails rails 3.1.0 rc8
    rubyonrails rails 3.1.1
    rubyonrails rails 3.1.1 rc1
    rubyonrails rails 3.1.1 rc2
    rubyonrails rails 3.1.1 rc3
    rubyonrails rails 3.1.2
    rubyonrails rails 3.1.2 rc1
    rubyonrails rails 3.1.2 rc2
    rubyonrails rails 3.1.3
    rubyonrails rails 3.1.4
    rubyonrails rails 3.1.4 rc1
    rubyonrails rails 3.1.5 rc1
    rubyonrails rails 3.2.0
    rubyonrails rails 3.2.0 rc1
    rubyonrails rails 3.2.0 rc2
    rubyonrails rails 3.2.1
    rubyonrails rails 3.2.2
    rubyonrails rails 3.2.2 rc1
    rubyonrails rails 3.2.3
    rubyonrails rails 3.2.3 rc1
    rubyonrails rails 3.2.3 rc2
    rubyonrails rails 3.2.4 rc1