GHSA-hqf9-rc9j-5fmj

Suggest an improvement
Source
https://github.com/advisories/GHSA-hqf9-rc9j-5fmj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-hqf9-rc9j-5fmj/GHSA-hqf9-rc9j-5fmj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hqf9-rc9j-5fmj
Aliases
  • CVE-2014-0080
Published
2017-10-24T18:33:36Z
Modified
2024-02-16T08:08:09.286869Z
Summary
Array data injection vulnerability in activerecord
Details

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.

References

Affected packages

RubyGems / activerecord

Package

Name
activerecord
Purl
pkg:gem/activerecord

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.0.3

Affected versions

4.*

4.0.0
4.0.1.rc1
4.0.1.rc2
4.0.1.rc3
4.0.1.rc4
4.0.1
4.0.2

RubyGems / activerecord

Package

Name
activerecord
Purl
pkg:gem/activerecord

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1.0.beta1
Fixed
4.1.0.beta2

Affected versions

4.*

4.1.0.beta1