| 0 |
| url |
VCID-5vcg-bgpn-9fhs |
| vulnerability_id |
VCID-5vcg-bgpn-9fhs |
| summary |
Active Record allows bypassing of database-query restrictions
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activerecord@3.2.11 |
| purl |
pkg:gem/activerecord@3.2.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-8uqv-cr1v-fbbm |
|
| 1 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 2 |
| vulnerability |
VCID-b2vm-7rth-mqhj |
|
| 3 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 4 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 5 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 6 |
| vulnerability |
VCID-qv5s-vase-2qas |
|
| 7 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 8 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 9 |
| vulnerability |
VCID-vta6-rneu-jbgg |
|
| 10 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 11 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 12 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 13 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 14 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@3.2.11 |
|
|
| aliases |
CVE-2013-0155, GHSA-gppp-5xc5-wfpx, OSV-89025
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5vcg-bgpn-9fhs |
|
| 1 |
| url |
VCID-8umt-dz29-p3ck |
| vulnerability_id |
VCID-8umt-dz29-p3ck |
| summary |
Active Record vulnerable to SQL Injection via nested query parameters
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activerecord@3.2.4 |
| purl |
pkg:gem/activerecord@3.2.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5vcg-bgpn-9fhs |
|
| 1 |
| vulnerability |
VCID-8uqv-cr1v-fbbm |
|
| 2 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 3 |
| vulnerability |
VCID-b2vm-7rth-mqhj |
|
| 4 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 5 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 6 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 7 |
| vulnerability |
VCID-qv5s-vase-2qas |
|
| 8 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 9 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 10 |
| vulnerability |
VCID-vta6-rneu-jbgg |
|
| 11 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 12 |
| vulnerability |
VCID-xej7-nkc8-dkez |
|
| 13 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 14 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 15 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 16 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@3.2.4 |
|
|
| aliases |
CVE-2012-2661, GHSA-fh39-v733-mxfr, OSV-82403
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8umt-dz29-p3ck |
|
| 2 |
| url |
VCID-8uqv-cr1v-fbbm |
| vulnerability_id |
VCID-8uqv-cr1v-fbbm |
| summary |
Active Record contains deserialization of arbitrary YAML
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
|
| aliases |
CVE-2013-0277, GHSA-fhj9-cjjh-27vm, OSV-90073
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8uqv-cr1v-fbbm |
|
| 3 |
| url |
VCID-a5js-1u9t-bfan |
| vulnerability_id |
VCID-a5js-1u9t-bfan |
| summary |
Active Record subject to strong parameters protection bypass
`activerecord/lib/active_record/relation/query_methods.rb` in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes `create_with` calls. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2014-3514, GHSA-9rf5-jm6f-2fmm
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a5js-1u9t-bfan |
|
| 4 |
| url |
VCID-b2vm-7rth-mqhj |
| vulnerability_id |
VCID-b2vm-7rth-mqhj |
| summary |
Active Record Improper Input Validation
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activerecord@3.2.13 |
| purl |
pkg:gem/activerecord@3.2.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 1 |
| vulnerability |
VCID-b2vm-7rth-mqhj |
|
| 2 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 3 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 4 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 5 |
| vulnerability |
VCID-qv5s-vase-2qas |
|
| 6 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 7 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 8 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 9 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 10 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 11 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 12 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@3.2.13 |
|
|
| aliases |
CVE-2013-1854, GHSA-3crr-9vmg-864v, OSV-91453
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b2vm-7rth-mqhj |
|
| 5 |
| url |
VCID-dbvw-1xvz-63b8 |
| vulnerability_id |
VCID-dbvw-1xvz-63b8 |
| summary |
activerecord vulnerable to SQL Injection
The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activerecord@3.2.6 |
| purl |
pkg:gem/activerecord@3.2.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5vcg-bgpn-9fhs |
|
| 1 |
| vulnerability |
VCID-8uqv-cr1v-fbbm |
|
| 2 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 3 |
| vulnerability |
VCID-b2vm-7rth-mqhj |
|
| 4 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 5 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 6 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 7 |
| vulnerability |
VCID-qv5s-vase-2qas |
|
| 8 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 9 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 10 |
| vulnerability |
VCID-vta6-rneu-jbgg |
|
| 11 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 12 |
| vulnerability |
VCID-xej7-nkc8-dkez |
|
| 13 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 14 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 15 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 16 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@3.2.6 |
|
|
| aliases |
CVE-2012-2695, GHSA-76wq-xw4h-f8wj
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dbvw-1xvz-63b8 |
|
| 6 |
| url |
VCID-er3j-4ygz-kqdx |
| vulnerability_id |
VCID-er3j-4ygz-kqdx |
| summary |
activerecord vulnerable to SQL Injection
Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2930, GHSA-h6w6-xmqv-7q78
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-er3j-4ygz-kqdx |
|
| 7 |
| url |
VCID-mnh7-4rvx-suay |
| vulnerability_id |
VCID-mnh7-4rvx-suay |
| summary |
Action Pack contains database-query restrictions bypass
`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 2.3.16, 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `[nil]` values, a related issue to CVE-2012-2694. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activerecord@3.2.4 |
| purl |
pkg:gem/activerecord@3.2.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5vcg-bgpn-9fhs |
|
| 1 |
| vulnerability |
VCID-8uqv-cr1v-fbbm |
|
| 2 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 3 |
| vulnerability |
VCID-b2vm-7rth-mqhj |
|
| 4 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 5 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 6 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 7 |
| vulnerability |
VCID-qv5s-vase-2qas |
|
| 8 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 9 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 10 |
| vulnerability |
VCID-vta6-rneu-jbgg |
|
| 11 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 12 |
| vulnerability |
VCID-xej7-nkc8-dkez |
|
| 13 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 14 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 15 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 16 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@3.2.4 |
|
|
| aliases |
CVE-2012-2660, GHSA-hgpp-pp89-4fgf, OSV-82610
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mnh7-4rvx-suay |
|
| 8 |
| url |
VCID-q8un-ngwx-5kaw |
| vulnerability_id |
VCID-q8un-ngwx-5kaw |
| summary |
Active Record Improper Access Control
`activerecord/lib/active_record/nested_attributes.rb` in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
|
| aliases |
CVE-2015-7577, GHSA-xrr6-3pc4-m447
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q8un-ngwx-5kaw |
|
| 9 |
| url |
VCID-qv5s-vase-2qas |
| vulnerability_id |
VCID-qv5s-vase-2qas |
| summary |
Array data injection vulnerability in activerecord
SQL injection vulnerability in `activerecord/lib/active_record/connection_adapters/postgresql/cast.rb` in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving `\` (backslash) characters that are not properly handled in operations on array columns. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activerecord@3.2.0 |
| purl |
pkg:gem/activerecord@3.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5vcg-bgpn-9fhs |
|
| 1 |
| vulnerability |
VCID-8umt-dz29-p3ck |
|
| 2 |
| vulnerability |
VCID-8uqv-cr1v-fbbm |
|
| 3 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 4 |
| vulnerability |
VCID-b2vm-7rth-mqhj |
|
| 5 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 6 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 7 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 8 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 9 |
| vulnerability |
VCID-qv5s-vase-2qas |
|
| 10 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 11 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 12 |
| vulnerability |
VCID-vta6-rneu-jbgg |
|
| 13 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 14 |
| vulnerability |
VCID-xej7-nkc8-dkez |
|
| 15 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 16 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 17 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 18 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@3.2.0 |
|
| 1 |
| url |
pkg:gem/activerecord@4.0.3 |
| purl |
pkg:gem/activerecord@4.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 1 |
| vulnerability |
VCID-cbdn-yhbu-5uaj |
|
| 2 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 3 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 4 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 5 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 6 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 7 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 8 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 9 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 10 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 11 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@4.0.3 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2014-0080, GHSA-hqf9-rc9j-5fmj, OSV-103438
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qv5s-vase-2qas |
|
| 10 |
| url |
VCID-seud-h84p-uugv |
| vulnerability_id |
VCID-seud-h84p-uugv |
| summary |
SQL Injection in Active Record
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/activerecord@4.0.0 |
| purl |
pkg:gem/activerecord@4.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 1 |
| vulnerability |
VCID-cbdn-yhbu-5uaj |
|
| 2 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 3 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 4 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 5 |
| vulnerability |
VCID-qv5s-vase-2qas |
|
| 6 |
| vulnerability |
VCID-r9dt-jbb6-sqda |
|
| 7 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 8 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 9 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 10 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 11 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 12 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 13 |
| vulnerability |
VCID-z8rh-apvg-t3d7 |
|
| 14 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@4.0.0 |
|
|
| aliases |
CVE-2014-3482, GHSA-mhwp-qhpc-h3jm, OSV-108664
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-seud-h84p-uugv |
|
| 11 |
| url |
VCID-u1sg-z8t6-audk |
| vulnerability_id |
VCID-u1sg-z8t6-audk |
| summary |
Active Record contains SQL Injection via improper range quoting
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2014-3483, GHSA-r8fh-hq2p-7qhq, OSV-108665
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u1sg-z8t6-audk |
|
| 12 |
| url |
VCID-vta6-rneu-jbgg |
| vulnerability_id |
VCID-vta6-rneu-jbgg |
| summary |
ActiveRecord vulnerable to modification of protected model attributes
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the `attr_protected` protection mechanism and modify protected model attributes via a crafted request. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activerecord@3.2.12 |
| purl |
pkg:gem/activerecord@3.2.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 1 |
| vulnerability |
VCID-b2vm-7rth-mqhj |
|
| 2 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 3 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 4 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 5 |
| vulnerability |
VCID-qv5s-vase-2qas |
|
| 6 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 7 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 8 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 9 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 10 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 11 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 12 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@3.2.12 |
|
|
| aliases |
CVE-2013-0276, GHSA-gr44-7grc-37vq, OSV-90072
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vta6-rneu-jbgg |
|
| 13 |
| url |
VCID-wz1m-798r-8yez |
| vulnerability_id |
VCID-wz1m-798r-8yez |
| summary |
Rails ActiveRecord gem vulnerable to SQL injection
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) `:limit` and (2) `:offset` parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-4094, GHSA-xf96-32q2-9rw2
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wz1m-798r-8yez |
|
| 14 |
| url |
VCID-xej7-nkc8-dkez |
| vulnerability_id |
VCID-xej7-nkc8-dkez |
| summary |
Active Record contains SQL Injection
SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/activerecord@3.2.10 |
| purl |
pkg:gem/activerecord@3.2.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5vcg-bgpn-9fhs |
|
| 1 |
| vulnerability |
VCID-8uqv-cr1v-fbbm |
|
| 2 |
| vulnerability |
VCID-a5js-1u9t-bfan |
|
| 3 |
| vulnerability |
VCID-b2vm-7rth-mqhj |
|
| 4 |
| vulnerability |
VCID-dbvw-1xvz-63b8 |
|
| 5 |
| vulnerability |
VCID-er3j-4ygz-kqdx |
|
| 6 |
| vulnerability |
VCID-q8un-ngwx-5kaw |
|
| 7 |
| vulnerability |
VCID-qv5s-vase-2qas |
|
| 8 |
| vulnerability |
VCID-seud-h84p-uugv |
|
| 9 |
| vulnerability |
VCID-u1sg-z8t6-audk |
|
| 10 |
| vulnerability |
VCID-vta6-rneu-jbgg |
|
| 11 |
| vulnerability |
VCID-wz1m-798r-8yez |
|
| 12 |
| vulnerability |
VCID-xmwx-eqjn-pba9 |
|
| 13 |
| vulnerability |
VCID-xnj2-tbzn-tff6 |
|
| 14 |
| vulnerability |
VCID-y922-r53a-rke5 |
|
| 15 |
| vulnerability |
VCID-zuwm-kmb2-23ay |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/activerecord@3.2.10 |
|
|
| aliases |
CVE-2012-6496, GHSA-gh2w-j7cx-2664, OSV-88661
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xej7-nkc8-dkez |
|
| 15 |
| url |
VCID-xmwx-eqjn-pba9 |
| vulnerability_id |
VCID-xmwx-eqjn-pba9 |
| summary |
Rails activerecord gem has Improper Input Validation vulnerability
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-3933, GHSA-gjxw-5w2q-7grf
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xmwx-eqjn-pba9 |
|
| 16 |
|
| 17 |
| url |
VCID-y922-r53a-rke5 |
| vulnerability_id |
VCID-y922-r53a-rke5 |
| summary |
activerecord vulnerable to SQL Injection
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0448, GHSA-jmm9-2p29-vh2w
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y922-r53a-rke5 |
|
| 18 |
| url |
VCID-zuwm-kmb2-23ay |
| vulnerability_id |
VCID-zuwm-kmb2-23ay |
| summary |
Active Record component in Ruby on Rails has a data-type injection vulnerability
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2013-3221, GHSA-f57c-hx33-hvh8
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zuwm-kmb2-23ay |
|