Plattform
ruby
Komponente
activerecord
Behoben in
3.0.14
CVE-2012-2695 describes a SQL Injection vulnerability within the Active Record component of Ruby on Rails. This flaw allows remote attackers to inject malicious SQL code through nested query parameters, potentially compromising sensitive data. The vulnerability impacts versions of Ruby on Rails prior to 3.0.9.rc5, and a fix is available in version 3.0.14.
Successful exploitation of CVE-2012-2695 can allow an attacker to bypass application security controls and directly manipulate the database. This could lead to unauthorized data access, modification, or deletion. The vulnerability stems from improper handling of nested hashes within ActiveRecord's where method, enabling attackers to craft malicious queries that bypass intended filtering. The impact is amplified if the database contains sensitive information such as user credentials, financial data, or personally identifiable information (PII). This vulnerability shares similarities with CVE-2012-2661, highlighting a broader issue in ActiveRecord's query parameter handling.
CVE-2012-2695 was published in 2017, though the underlying vulnerability existed earlier. There is no indication of this CVE being actively exploited in the wild. Public proof-of-concept exploits are available, demonstrating the vulnerability's feasibility. It is not listed on the CISA KEV catalog. The EPSS score is likely low, given the age of the vulnerability and lack of confirmed exploitation.
Exploit-Status
EPSS
0.64% (70% Perzentil)
The primary mitigation for CVE-2012-2695 is to upgrade to a patched version of Ruby on Rails, specifically 3.0.14 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Carefully review and sanitize all user-supplied input used in ActiveRecord queries. Employ parameterized queries or prepared statements to prevent SQL injection. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can provide an additional layer of defense. Monitor application logs for suspicious SQL queries that might indicate exploitation attempts.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2012-2695 is a SQL Injection vulnerability in Ruby on Rails versions before 3.0.14. It allows attackers to inject malicious SQL code through improperly handled nested query parameters, potentially compromising database data.
You are affected if your Ruby on Rails application is running a version prior to 3.0.14 (≤3.0.9.rc5). Check your application's version string to determine if you are vulnerable.
The recommended fix is to upgrade your Ruby on Rails application to version 3.0.14 or later. If an upgrade isn't immediately possible, implement input validation and sanitization on all user-supplied data.
While no active campaigns targeting this specific CVE are publicly known, the underlying SQL Injection vulnerability remains a risk. It's crucial to apply the patch or implement mitigating controls.
Refer to the Ruby on Rails security advisories and the NVD database for detailed information: [https://nvd.nist.gov/vuln/detail/CVE-2012-2695](https://nvd.nist.gov/vuln/detail/CVE-2012-2695)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.