-
-
Notifications
You must be signed in to change notification settings - Fork 233
Expand file tree
/
Copy pathCVE-2014-3483.yml
More file actions
22 lines (22 loc) · 927 Bytes
/
CVE-2014-3483.yml
File metadata and controls
22 lines (22 loc) · 927 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
---
gem: activerecord
framework: rails
cve: 2014-3483
osvdb: 108665
ghsa: r8fh-hq2p-7qhq
url: https://nvd.nist.gov/vuln/detail/CVE-2014-3483
title: "CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting"
date: 2014-07-02
description: |
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and
4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by
leveraging improper range quoting. It was discovered that Active Record did not
properly quote values of the range type attributes when using the PostgreSQL database
adapter. A remote attacker could possibly use this flaw to conduct an SQL injection
attack against applications using Active Record.
unaffected_versions:
- "< 4.0.0"
patched_versions:
- "~> 4.0.7"
- ">= 4.1.3"