High severityNVD Advisory· Published Jan 4, 2013· Updated Apr 29, 2026
CVE-2012-6496
CVE-2012-6496
Description
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | >= 3.0.0.beta, < 3.0.18 | 3.0.18 |
activerecordRubyGems | >= 3.1.0, < 3.1.9 | 3.1.9 |
activerecordRubyGems | >= 3.2.0, < 3.2.10 | 3.2.10 |
activerecordRubyGems | < 2.3.15 | 2.3.15 |
Affected products
85cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*+ 81 more
- cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*range: <=3.0.17
- cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*
Patches
19de9b359d0d2CVE-2012-5664 options hashes should only be extracted if there are extra parameters
2 files changed · +17 −1
activerecord/lib/active_record/base.rb+5 −1 modified@@ -1897,7 +1897,11 @@ def method_missing(method_id, *arguments, &block) # end self.class_eval <<-EOS, __FILE__, __LINE__ + 1 def self.#{method_id}(*args) - options = args.extract_options! + options = if args.length > #{attribute_names.size} + args.extract_options! + else + {} + end attributes = construct_attributes_from_arguments( [:#{attribute_names.join(',:')}], args
activerecord/test/cases/finder_test.rb+12 −0 modified@@ -66,6 +66,18 @@ def test_find_or_create_by class FinderTest < ActiveRecord::TestCase fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers + def test_find_by_id_with_hash + assert_raises(ActiveRecord::StatementInvalid) do + Post.find_by_id(:limit => 1) + end + end + + def test_find_by_title_and_id_with_hash + assert_raises(ActiveRecord::StatementInvalid) do + Post.find_by_title_and_id('foo', :limit => 1) + end + end + def test_find assert_equal(topics(:first).title, Topic.find(1).title) end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- bugzilla.redhat.com/show_bug.cginvdExploitPatchWEB
- github.com/advisories/GHSA-gh2w-j7cx-2664ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-6496ghsaADVISORY
- blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-factsghsaWEB
- rhn.redhat.com/errata/RHSA-2013-0154.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0220.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0544.htmlnvdWEB
- security.gentoo.org/glsa/glsa-201401-22.xmlnvdWEB
- github.com/rails/rails/commit/9de9b359d0d24f70f0f6c5c58a7ad8750684d456ghsaWEB
- groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64nvdWEB
- blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/nvd
- rhn.redhat.com/errata/RHSA-2013-0155.htmlnvd
- www.securityfocus.com/bid/57084nvd
News mentions
0No linked articles in our index yet.