Platform
ruby
Component
activerecord
Fixed in
3.0.14
CVE-2012-2695 describes a SQL Injection vulnerability within the Active Record component of Ruby on Rails. This flaw allows remote attackers to inject malicious SQL code through nested query parameters, potentially compromising sensitive data. The vulnerability impacts versions of Ruby on Rails prior to 3.0.9.rc5, and a fix is available in version 3.0.14.
Successful exploitation of CVE-2012-2695 allows an attacker to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion. Nested query parameters within ActiveRecord's where method are mishandled, enabling injection of arbitrary SQL commands. The blast radius extends to any data accessible through the affected ActiveRecord models. This vulnerability shares similarities with CVE-2012-2661, highlighting a broader issue in ActiveRecord query handling. A malicious actor could extract user credentials, financial information, or other sensitive data stored in the database.
CVE-2012-2695 was published in 2017. While no active campaigns targeting this specific CVE are publicly known, the underlying SQL Injection vulnerability remains a significant risk. The vulnerability is not listed on KEV. The EPSS score is likely low to medium, given the age of the vulnerability and the availability of a patch. Public Proof-of-Concept (POC) exploits are available, demonstrating the feasibility of exploitation.
Exploit Status
EPSS
0.64% (70% percentile)
The primary mitigation for CVE-2012-2695 is to upgrade to Ruby on Rails version 3.0.14 or later. If an immediate upgrade is not feasible, consider implementing input validation and sanitization on all user-supplied data used in ActiveRecord queries. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can provide an additional layer of defense. Review and harden ActiveRecord query construction practices to prevent future vulnerabilities. After upgrade, confirm the fix by attempting to reproduce the vulnerability with nested query parameters and verifying that the queries are properly sanitized.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2012-2695 is a SQL Injection vulnerability in Ruby on Rails versions before 3.0.14. It allows attackers to inject malicious SQL code through improperly handled nested query parameters, potentially compromising database data.
You are affected if your Ruby on Rails application is running a version prior to 3.0.14 (≤3.0.9.rc5). Check your application's version string to determine if you are vulnerable.
The recommended fix is to upgrade your Ruby on Rails application to version 3.0.14 or later. If an upgrade isn't immediately possible, implement input validation and sanitization on all user-supplied data.
While no active campaigns targeting this specific CVE are publicly known, the underlying SQL Injection vulnerability remains a risk. It's crucial to apply the patch or implement mitigating controls.
Refer to the Ruby on Rails security advisories and the NVD database for detailed information: [https://nvd.nist.gov/vuln/detail/CVE-2012-2695](https://nvd.nist.gov/vuln/detail/CVE-2012-2695)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.