Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness

Metadata

medium
5.0
authlogic
CVE-2012-6497
osvdb.org
2012-12-21
2017-06-16 19:01
CVE-2012-6497 ruby-activerecord-2.3
CVE-2012-6497 rails
CVE-2012-6497 ruby-activerecord-3.2
2017-04-01 19:10
2017-01-05 20:15

Description

Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered
when the program makes an unsafe method call for find_by_id. With a specially
crafted parameter in an environment that knows the secret_token value in
secret_token.rb, a remote attacker to more easily conduct SQL injection
attacks.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
authlogic >= 3.3.0 None