CVE-2012-6497

Name of the Vulnerable Software and Affected Versions Authlogic gem for Ruby on Rails versions prior to 3.3.0

Description The issue allows remote attackers to conduct SQL injection attacks via a crafted parameter in environments with a known secret token value. This is demonstrated by a value contained in secret token.rb in an open-source product. The find by id method calls are potentially unsafe.

Recommendations For versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the find by id method to minimize the risk of exploitation. Avoid using crafted parameters in environments with a known secret token value until the issue is resolved.