VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-sz4r-kjse-cbdd

Vulnerability ID	VCID-sz4r-kjse-cbdd
Aliases	CVE-2012-6497 GHSA-rx7j-mw4c-76g9 OSV-89064
Summary	Remote attacker can conduct SQL injection attacks Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered when the program makes an unsafe method call for find_by_id. With a specially crafted parameter in an environment that knows the secret_token value in secret_token.rb, a remote attacker to more easily conduct SQL injection attacks.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

System	Score	Found at
generic_textual	MODERATE	http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
generic_textual	MODERATE	http://openwall.com/lists/oss-security/2013/01/03/12
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2012-6497
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2012-6497
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2012-6497
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2012-6497
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2012-6497
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2012-6497
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2012-6497
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2012-6497
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2012-6497
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-rx7j-mw4c-76g9
generic_textual	MODERATE	https://github.com/binarylogic/authlogic
generic_textual	MODERATE	https://github.com/binarylogic/authlogic/commit/1d57a6c4abe43a3c0b4ef578486ea00e1f7a9873
generic_textual	MODERATE	https://github.com/binarylogic/authlogic/pull/341
cvssv2	5.0	https://nvd.nist.gov/vuln/detail/CVE-2012-6497
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2012-6497
generic_textual	MODERATE	https://web.archive.org/web/20130104161608/http://www.securityfocus.com/bid/57084
generic_textual	MODERATE	https://web.archive.org/web/20130116043311/http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html

Reference id	Reference type	URL
		http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
		http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
		http://openwall.com/lists/oss-security/2013/01/03/12
		http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html
		https://api.first.org/data/v1/epss?cve=CVE-2012-6497
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6497
		https://github.com/binarylogic/authlogic
		https://github.com/binarylogic/authlogic/commit/1d57a6c4abe43a3c0b4ef578486ea00e1f7a9873
		https://github.com/binarylogic/authlogic/commit/1d57a6c4abe43a3c0b4ef578486ea00e1f7a9873#diff-724a09c582d42a66c65c0bdaadcb21ee
		https://github.com/binarylogic/authlogic/pull/341
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/authlogic/OSVDB-89064.yml
		https://nvd.nist.gov/vuln/detail/CVE-2012-6497
		https://web.archive.org/web/20130104161608/http://www.securityfocus.com/bid/57084
		https://web.archive.org/web/20130116043311/http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html
		http://www.securityfocus.com/bid/57084
cpe:2.3:a:rubyonrails:rails::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails::::::::
GHSA-rx7j-mw4c-76g9		https://github.com/advisories/GHSA-rx7j-mw4c-76g9

No exploits are available.

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2012-6497

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Exploit Prediction Scoring System (EPSS)

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:46:47.848836+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/authlogic/CVE-2012-6497.yml	38.0.0