Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2012-6497
Vulnerability from gsd - Updated: 2012-12-21 00:00Details
Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered
when the program makes an unsafe method call for find_by_id. With a specially
crafted parameter in an environment that knows the secret_token value in
secret_token.rb, a remote attacker to more easily conduct SQL injection
attacks.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2012-6497",
"description": "The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.",
"id": "GSD-2012-6497",
"references": [
"https://www.debian.org/security/2013/dsa-2597"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "authlogic",
"purl": "pkg:gem/authlogic"
}
}
],
"aliases": [
"CVE-2012-6497",
"OSVDB-89064"
],
"details": "Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered\nwhen the program makes an unsafe method call for find_by_id. With a specially\ncrafted parameter in an environment that knows the secret_token value in\nsecret_token.rb, a remote attacker to more easily conduct SQL injection\nattacks.\n",
"id": "GSD-2012-6497",
"modified": "2012-12-21T00:00:00.000Z",
"published": "2012-12-21T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6497"
}
],
"schema_version": "1.4.0",
"summary": "Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6497",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/",
"refsource": "MISC",
"url": "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/"
},
{
"name": "[oss-security] 20130103 Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2013/01/03/12"
},
{
"name": "http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html",
"refsource": "MISC",
"url": "http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html"
},
{
"name": "57084",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/57084"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2012-6497",
"date": "2012-12-21",
"description": "Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered\nwhen the program makes an unsafe method call for find_by_id. With a specially\ncrafted parameter in an environment that knows the secret_token value in\nsecret_token.rb, a remote attacker to more easily conduct SQL injection\nattacks.\n",
"gem": "authlogic",
"osvdb": 89064,
"patched_versions": [
"\u003e= 3.3.0"
],
"title": "Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6497"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c3.3.0",
"affected_versions": "All versions before 3.3.0",
"credit": "Tieg Zaharia",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-937"
],
"date": "2019-08-08",
"description": "Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered when the program makes an unsafe method call for find_by_id. With a specially crafted parameter in an environment that knows the secret_token value in secret_token.rb, a remote attacker to more easily conduct SQL injection attacks.",
"fixed_versions": [
"3.3.0"
],
"identifier": "CVE-2012-6497",
"identifiers": [
"CVE-2012-6497"
],
"not_impacted": "All versions starting from 3.3.0",
"package_slug": "gem/authlogic",
"pubdate": "2013-01-03",
"solution": "Upgrade to version 3.3.0 or above.",
"title": "Remote attacker can conduct SQL injection attacks",
"urls": [
"https://github.com/binarylogic/authlogic/commit/1d57a6c4abe43a3c0b4ef578486ea00e1f7a9873#diff-724a09c582d42a66c65c0bdaadcb21ee",
"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/authlogic/OSVDB-89064.yml"
],
"uuid": "3fbac489-73e6-408e-affd-8836fda6658d"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.2.10",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6497"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html",
"refsource": "MISC",
"tags": [
"Broken Link",
"Exploit"
],
"url": "http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html"
},
{
"name": "[oss-security] 20130103 Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2013/01/03/12"
},
{
"name": "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/"
},
{
"name": "57084",
"refsource": "BID",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/57084"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-05-19T16:52Z",
"publishedDate": "2013-01-04T04:46Z"
}
}
}