Active Record contains SQL Injection via improper range quoting

GHSA-r8fh-hq2p-7qhq · CVE-2014-3483

Published Oct 24, 2017 · Modified Nov 29, 2024

Description

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-3483
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-3483.yml
WEB https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J
WEB https://web.archive.org/web/20200228150648/http://www.securityfocus.com/bid/68341
WEB http://openwall.com/lists/oss-security/2014/07/02/5
WEB http://rhn.redhat.com/errata/RHSA-2014-0877.html
WEB http://www.debian.org/security/2014/dsa-2982

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes