The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain | exploit mailing list |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html | vendor advisory |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html | vendor advisory |
| http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html | vendor advisory |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor advisory |