CVE-2012-6497

CVSS V2 Medium 5 CVSS V3 None

Description

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.

Overview

CVE ID
CVE-2012-6497

Assigner
cve@mitre.org

Vulnerability Status
Modified

Published Version
2013-01-04T04:46:02

Last Modified Date
2019-08-08T15:42:45

Weakness Enumerations

CWE	URL
CWE-200	http://cwe.mitre.org/data/definitions/200.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
cpe:2.3:a:rubyonrails:rails:0.9.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.9.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.9.3:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.9.4:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.9.4.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.10.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.10.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.11.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.11.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.12.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.12.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.13.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.13.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.14.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.14.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.14.3:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:0.14.4:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.0.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.1.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.1.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.1.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.1.3:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.1.4:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.1.5:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.1.6:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.2.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.2.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.2.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.2.3:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.2.4:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.2.5:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.2.6:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:1.9.5:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.0.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.0.0:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:2.0.0:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:2.0.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.0.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.0.4:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.1.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.1.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.1.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.2.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.2.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.2.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.3.11:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:2.3.12:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.5:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.5:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.6:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.6:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.6:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.7:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.7:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.7:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.8:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.8:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.8:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.8:rc3::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.8:rc4::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.9:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc3::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc4::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.9:rc5::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.10:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.10:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.11:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.12:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.12:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.13:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.13:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.14:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.16:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.0.17:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:beta1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc3::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc4::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc5::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc6::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc7::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.0:rc8::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.1:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.1:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.1:rc3::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.2:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.2:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.3:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.4:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.4:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.5:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.5:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.6:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.7:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.1.8:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.0:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.0:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.1:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.2:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.2:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.3:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.3:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.3:rc2::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.4:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.4:rc1::::::	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.5:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.6:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.7:::::::*	1	OR
cpe:2.3:a:rubyonrails:rails:3.2.8:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails::::::::	1	OR	3.2.9
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:::::::*	1	OR
cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:::::::*	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector
NETWORK

Access Compatibility
LOW

Authentication
NONE

Confidentiality Impact
PARTIAL

Integrity Impact
NONE

Availability Impact
NONE

Base Score
5

Severity
MEDIUM

Exploitability Score
10

Impact Score
2.9

References

Reference URL	Reference Tags
http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html	Exploit
http://openwall.com/lists/oss-security/2013/01/03/12
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/	Exploit
http://www.securityfocus.com/bid/57084

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2012-6497
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6497

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 17:39:04				Added to TrackCVE