CVE-2014-3483SQL Injection in Project Activerecord

CWE-89SQL Injection9 documents7 sources
Severity
7.5HIGHNVD
EPSS
1.3%
top 20.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rubyonrails RailsActiverecord Project Activerecord
Timeline
PublishedJul 7
Latest updateOct 24

Description

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

RubyGemsactiverecord_project/activerecord4.0.04.0.7+1
Debianrubyonrails/rails< 2:4.1.4-1+3
NVDrubyonrails/rails10 versions+9

🔴Vulnerability Details

4
GHSA
Active Record contains SQL Injection via improper range quoting2017-10-24
OSV
Active Record contains SQL Injection via improper range quoting2017-10-24
OSV
CVE-2014-3483: SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting2014-07-07
CVEList
CVE-2014-3483: SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting2014-07-07

📋Vendor Advisories

2
Red Hat
rubygem-activerecord: SQL injection vulnerability in 'range' quoting2014-07-02
Debian
CVE-2014-3483: rails - SQL injection vulnerability in activerecord/lib/active_record/connection_adapter...2014

💬Community

2
Bugzilla
CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting [fedora-20]2014-07-03
Bugzilla
CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting2014-06-30
CVE-2014-3483 — SQL Injection in Project Activerecord | cvebase