Lucene search

K
rubygemsRubySecRUBY:ACTIVERECORD-2014-3483-108665
HistoryJul 01, 2014 - 8:00 p.m.

CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting

2014-07-0120:00:00
RubySec
rubysec.com
12

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.009

Percentile

82.6%

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and
4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by
leveraging improper range quoting. It was discovered that Active Record did not
properly quote values of the range type attributes when using the PostgreSQL database
adapter. A remote attacker could possibly use this flaw to conduct an SQL injection
attack against applications using Active Record.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.009

Percentile

82.6%