FreeBSD : rubygem-activerecord -- multiple vulnerabilities (748aa89f-d529-11e1-82ab-001fd0af1a4c)

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

rubygem-activerecord -- multiple vulernabilities

Due to the way Active Record interprets parameters in combination with
the way that Rack parses query parameters, it is possible for an
attacker to issue unexpected database queries with 'IS NULL' where
clauses. This issue does *not* let an attacker insert arbitrary values
into a SQL query, however they can cause the query to check for NULL
where most users wouldn't expect it.

Due to the way Active Record handles nested query parameters, an
attacker can use a specially crafted request to inject some forms of
SQL into your application's SQL queries.

See also :

http://www.nessus.org/u?f997721c
http://www.nessus.org/u?ad95742e
http://www.nessus.org/u?40515b64

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 60101 ()

Bugtraq ID:

CVE ID: CVE-2012-2660
CVE-2012-2661

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now