Bug 827363 (CVE-2012-2661)
| Summary: | CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested query paramaters | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | bkabrda, ccoleman, hbrock, lutter, lzap, mastahnke, mmccune, mmorsi, morazi, mtasaka, sseago, tkramer, vanmeeuwen+fedora, vondruch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rubygem-actionpack 3.0.13, rubygem-actionpack 3.1.5, rubygem-actionpack 3.2.4 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-03-26 15:23:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 827365, 829510, 829511 | ||
| Bug Blocks: | 767033, 836071 | ||
|
Description
Jan Lieskovsky
2012-06-01 08:41:58 UTC
Further details from upstream advisory [1], how to verify presence of the flaw:
===============================================================================
Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.
Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:
Post.where(:id => params[:id]).all
An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
This issue affects the versions of the rubygem-activerecord package, as shipped with Fedora release of 15 and 16. Please schedule an update. -- This issue did NOT affect the version of the rubygem-activerecord package, as shipped with Fedora EPEL 5. The affected functionality is not present in that version (yet). Created rubygem-activerecord tracking bugs for this issue Affects: fedora-all [bug 827365] rubygem-activerecord-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. rubygem-activerecord-3.0.5-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. rubygem-activerecord-3.0.11-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.1 Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html |