A critical SQL Injection vulnerability has been found to affect the Ruby on Rails web framework and, as a result, the developers have released the 3.2.4 and, shortly after, the 3.2.5 variant to address this and other issues.
The SQL Injection security hole was present in Active Record and affected all versions starting with 3.0. Ruby on Rails 2.3.14 has not been impacted by the flaw.
Identified by Ben Murphy, the weakness occurred due to the way in which Active Record handled nested query parameters. The bug allowed an attacker to inject SLQ commands into an app’s SQL queries with the aid of a specially crafted request.
Customers of Ruby on Rails 3.0 and later versions are advised to immediately apply the updates.
Ruby on Rails 3.2.5 is available for download here