Lucene search

K
githubGitHub Advisory DatabaseGHSA-R8FH-HQ2P-7QHQ
HistoryOct 24, 2017 - 6:33 p.m.

Active Record contains SQL Injection via improper range quoting

2017-10-2418:33:36
CWE-89
GitHub Advisory Database
github.com
12

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.009

Percentile

82.6%

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.

Affected configurations

Vulners
Node
activerecord_projectactiverecordRange<4.1.3ruby
OR
activerecord_projectactiverecordRange<4.0.7ruby
CPENameOperatorVersion
activerecordlt4.1.3
activerecordlt4.0.7

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.009

Percentile

82.6%