VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-tt6r-bytq-4fa4

Essentials
Severities (23)
References (19)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-tt6r-bytq-4fa4
Aliases	CVE-2012-2694 GHSA-q34c-48gc-m9g8
Summary	actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request `actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-138	Improper Neutralization of Special Elements
CWE-305	Authentication Bypass by Primary Weakness

System	Score	Found at
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html
generic_textual	MODERATE	http://rhn.redhat.com/errata/RHSA-2013-0154.html
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2012-2694
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2012-2694
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2012-2694
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2012-2694
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2012-2694
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2012-2694
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2012-2694
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2012-2694
epss	0.0022	https://api.first.org/data/v1/epss?cve=CVE-2012-2694
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-q34c-48gc-m9g8
generic_textual	MODERATE	https://github.com/rails/rails
generic_textual	MODERATE	https://github.com/rails/rails/commit/2f3bc0467311781ac1ceb2c8c2b09002c8fe143a
generic_textual	MODERATE	https://github.com/rails/rails/commit/c202638225519b5e1a03ebe523b109c948fb0e52
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2694.yml
generic_textual	MODERATE	https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain
generic_textual	MODERATE	https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2012-2694

Reference id	Reference type	URL
		http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html
		http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html
		http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html
		http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html
		http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html
		http://rhn.redhat.com/errata/RHSA-2013-0154.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2694.json
		https://api.first.org/data/v1/epss?cve=CVE-2012-2694
		https://github.com/rails/rails
		https://github.com/rails/rails/commit/2f3bc0467311781ac1ceb2c8c2b09002c8fe143a
		https://github.com/rails/rails/commit/c202638225519b5e1a03ebe523b109c948fb0e52
		https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain
		https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ
831581		https://bugzilla.redhat.com/show_bug.cgi?id=831581
CVE-2012-2694		https://nvd.nist.gov/vuln/detail/CVE-2012-2694
CVE-2012-2694.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2694.yml
GHSA-q34c-48gc-m9g8		https://github.com/advisories/GHSA-q34c-48gc-m9g8
RHSA-2012:1542		https://access.redhat.com/errata/RHSA-2012:1542
RHSA-2013:0154		https://access.redhat.com/errata/RHSA-2013:0154

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.44593
EPSS Score	0.0022
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:47:27.572485+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack/CVE-2012-2694.yml	38.0.0