CVE-2012-2661

Ruby on Rails <3.0.13, <3.1.5, <3.2.4 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2661. PoCs published by r4x0r1337.

AI-analyzed exploit summary This repository contains a writeup in Bahasa Melayu for CVE-2012-2661, an SQL injection vulnerability in ActiveRecord. No exploit code or technical details are provided in the README.

Description

The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.

Exploits (1)

nomisec WRITEUP 1 stars

by r4x0r1337 · poc

https://github.com/r4x0r1337/-CVE-2012-2661-ActiveRecord-SQL-injection-

View Code ZIP pw:eip

This repository contains a writeup in Bahasa Melayu for CVE-2012-2661, an SQL injection vulnerability in ActiveRecord. No exploit code or technical details are provided in the README.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Theoretical

Target: ActiveRecord (Ruby on Rails)

No auth needed

Prerequisites: Vulnerable version of ActiveRecord

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit mailing-list x_refsource_mlist

https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2013-0154.html

Scores

EPSS 0.0063

EPSS Percentile 70.8%

Details

CWE

CWE-89

Status published

Products (17)

rubygems/activerecord 3.0.0 - 3.0.13RubyGems

rubyonrails/rails 3.0.0 (7 CPE variants)

rubyonrails/rails 3.0.1 (2 CPE variants)

rubyonrails/rails 3.0.2 (2 CPE variants)

rubyonrails/rails 3.0.3

rubyonrails/rails 3.0.4 rc1

rubyonrails/rails 3.0.5 (2 CPE variants)

rubyonrails/rails 3.0.6 (3 CPE variants)

rubyonrails/rails 3.0.7 (3 CPE variants)

rubyonrails/rails 3.0.8 (5 CPE variants)

... and 7 more

Published Jun 22, 2012

Tracked Since Feb 18, 2026