|Description||The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.|
|Source||CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|rails (PTS)||squeeze, squeeze (security)||2.3.5-1.2+squeeze8||fixed|
|ruby-activerecord-3.2 (PTS)||wheezy (security), wheezy||3.2.6-5+deb7u1||fixed|
The information below is based on the following data on fixed versions.
Starting with 220.127.116.11 rails is a transition package