7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
71.5%
Ruby on Rails is a model-view-controller (MVC) framework for web
application development. Active Record implements object-relational mapping
for accessing database entries using objects.
It was discovered that Active Record did not properly quote values of the
range type attributes when using the PostgreSQL database adapter. A remote
attacker could possibly use this flaw to conduct an SQL injection attack
against applications using Active Record. (CVE-2014-3483)
Red Hat would like to thank the Ruby on Rails project for reporting this
issue. Upstream acknowledges Sean Griffin of thoughtbot as the original
reporter.
All ror40-rubygem-activerecord users are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.