CVE-2014-3483
Ruby on Rails 4.x < 4.0.7 and 4.1.x < 4.1.3 - SQL Injection via PostgreSQL Range Quoting
Title source: llmDescription
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.
References (7)
Core 7
Core References
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/59971
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/07/02/5
Mailing List mailing-list
x_refsource_mlist
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/60214
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-2982
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/68341
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0877.html
Scores
EPSS
0.0092
EPSS Percentile
76.3%
Details
CWE
CWE-89
Status
published
Products (11)
rubygems/activerecord
4.0.0 - 4.0.7RubyGems
rubyonrails/rails
4.0.0 (4 CPE variants)
rubyonrails/rails
4.0.1 (5 CPE variants)
rubyonrails/rails
4.0.2
rubyonrails/rails
4.0.3
rubyonrails/rails
4.0.4
rubyonrails/rails
4.0.5
rubyonrails/rails
4.0.6 (4 CPE variants)
rubyonrails/rails
4.1.0 (2 CPE variants)
rubyonrails/rails
4.1.1
... and 1 more
Published
Jul 07, 2014
Tracked Since
Feb 18, 2026