RubySec

Providing security resources for the Ruby community

CVE-2014-3482 (activerecord): SQL Injection Vulnerability in Active Record

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

UNAFFECTED VERSIONS

  • >= 4.0.0

PATCHED VERSIONS

  • ~> 3.2.19

DESCRIPTION

Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting bitstring. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.