Description
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.
References (2)
Core 2
Core References
Mailing List mailing-list
x_refsource_mlist
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/02/18/9
Scores
EPSS
0.0025
EPSS Percentile
48.0%
Details
CWE
CWE-89
Status
published
Products (5)
rubygems/activerecord
4.0.0 - 4.0.3RubyGems
rubyonrails/rails
4.0.0 (4 CPE variants)
rubyonrails/rails
4.0.1 (5 CPE variants)
rubyonrails/rails
4.0.2
rubyonrails/rails
4.1.0 beta1
Published
Feb 20, 2014
Tracked Since
Feb 18, 2026