oss-sec mailing list archives
Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)
From: Carlos Alberto Lopez Perez <clopez () igalia com>
Date: Thu, 03 Jan 2013 13:30:52 +0100
On 02/01/13 22:22, Aaron Patterson wrote:
There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664.
CVE-2012-5664 literally says: "SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows remote attackers to execute arbitrary SQL commands via a crafted parameter in conjunction with a secret_token value, related to certain behavior of find_by_id and other find_by_ methods." However in your description of the bug I don't see any references to the Authlogic gem. This rather seems to be a generic RoR issue. And both Debian and Ubuntu have marked this CVE as NOT-FOR-US because of this (they don't ship Authlogic gem). Could you please clarify this? Thanks!
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Aaron Patterson (Jan 02)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Carlos Alberto Lopez Perez (Jan 03)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Carlos Alberto Lopez Perez (Jan 03)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Seth Arnold (Jan 03)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) cve-assign (Jan 03)
- Re: Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Seth Arnold (Jan 04)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Carlos Alberto Lopez Perez (Jan 03)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Carlos Alberto Lopez Perez (Jan 03)