RubySec

Providing security resources for the Ruby community

CVE-2014-3483 (activerecord): SQL Injection Vulnerability in Active Record

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

UNAFFECTED VERSIONS

  • < 4.0.0

PATCHED VERSIONS

  • ~> 4.0.7
  • >= 4.1.3

DESCRIPTION

Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.