Skip to content

Authlogic Information Exposure vulnerability

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Jan 26, 2023

Package

bundler authlogic (RubyGems)

Affected versions

< 3.3.0

Patched versions

3.3.0

Description

The Authlogic gem for Ruby on Rails prior to version 3.3.0 makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.

References

Published by the National Vulnerability Database Jan 4, 2013
Published to the GitHub Advisory Database May 14, 2022
Reviewed Jan 26, 2023
Last updated Jan 26, 2023

Severity

Moderate

Weaknesses

CVE ID

CVE-2012-6497

GHSA ID

GHSA-rx7j-mw4c-76g9

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.