CVE-2012-2660
Action Pack contains database-query restrictions bypass
EPSS 0.16%
Description
`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 2.3.16, 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `[nil]` values, a related issue to CVE-2012-2694.
How to fix CVE-2012-2660
To remediate CVE-2012-2660, upgrade the affected package to a fixed version below.
- —upgrade to 3.0.13 or later
Is CVE-2012-2660 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.0.0.beta, < 3.0.13