RubySec

Providing security resources for the Ruby community

CVE-2014-0080 (activerecord): Data Injection Vulnerability in Active Record

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

UNAFFECTED VERSIONS

  • < 3.2.0
  • ~> 3.2.0

PATCHED VERSIONS

  • ~> 4.0.3
  • >= 4.1.0.beta2

DESCRIPTION

Ruby on Rails contains a flaw in connection_adapters/postgresql/cast.rb in Active Record. This issue may allow a remote attacker to inject data into PostgreSQL array columns via a specially crafted string.