CVE-2014-0080SQL Injection in Project Activerecord

CWE-89SQL Injection8 documents7 sources
Severity
6.8MEDIUMNVD
EPSS
0.2%
top 51.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Activerecord Project ActiverecordRubyonrails Rails
Timeline
PublishedFeb 20
Latest updateOct 24

Description

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

RubyGemsactiverecord_project/activerecord4.0.04.0.3+1
NVDrubyonrails/rails4 versions+3

🔴Vulnerability Details

3
GHSA
Array data injection vulnerability in activerecord2017-10-24
OSV
Array data injection vulnerability in activerecord2017-10-24
CVEList
CVE-2014-0080: SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast2014-02-20

📋Vendor Advisories

2
Red Hat
rubygem-activerecord: PostgreSQL array data injection vulnerability2014-02-18
Debian
CVE-2014-0080: rails - SQL injection vulnerability in activerecord/lib/active_record/connection_adapter...2014

💬Community

2
Bugzilla
CVE-2014-0080 rubygem-activerecord: PostgreSQL array data injection vulnerability [fedora-20]2014-02-18
Bugzilla
CVE-2014-0080 rubygem-activerecord: PostgreSQL array data injection vulnerability2014-02-14
CVE-2014-0080 — SQL Injection in Project Activerecord | cvebase