Rails SQL injection vulnerability 3 Jan 13
A security problem affecting all versions of Rails has been discovered. The vulnerability affects apps which use dynamic finders with Active Record.
The original bug report has more detail about this vulnerability – CVE-2012-5664.
Customers who are able to, should upgrade to one of the new versions of Rails listed in the bug report (3.2.10, 3.1.9, or 3.0.18). Otherwise, you should audit your apps’ code for instances of dynamic finders, with a view to applying the workaround.