Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/activerecord@2.4
purl pkg:gem/activerecord@2.4
Tags Ghost
Next non-vulnerable version 7.1.5.2
Latest non-vulnerable version 8.0.2.1
Risk 4.5
Vulnerabilities affecting this package (8)
Vulnerability Summary Fixed by
VCID-4cky-r218-dkbb
Aliases:
CVE-2011-2930
GHSA-h6w6-xmqv-7q78
activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.
3.0.10
Affected by 21 other vulnerabilities.
3.1.0.rc5
Affected by 22 other vulnerabilities.
3.1.0
Affected by 22 other vulnerabilities.
VCID-hbtn-7423-m3gb
Aliases:
CVE-2013-0276
GHSA-gr44-7grc-37vq
OSV-90072
Circumvention of attr_protected The attr_protected method allows developers to specify a denylist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected.
3.1.11
Affected by 16 other vulnerabilities.
3.2.0.rc1
Affected by 22 other vulnerabilities.
3.2.12
Affected by 16 other vulnerabilities.
VCID-j7p8-hchp-xbe3
Aliases:
CVE-2013-0155
GHSA-gppp-5xc5-wfpx
OSV-89025
Unsafe Query Generation Risk in Ruby on Rails Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it.
3.0.19
Affected by 17 other vulnerabilities.
3.1.0.beta1
Affected by 22 other vulnerabilities.
3.1.10
Affected by 18 other vulnerabilities.
3.2.0.rc1
Affected by 22 other vulnerabilities.
3.2.11
Affected by 18 other vulnerabilities.
VCID-j8zg-kq3z-jqcm
Aliases:
CVE-2010-3933
GHSA-gjxw-5w2q-7grf
Improper Input Validation Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
3.0.1
Affected by 21 other vulnerabilities.
VCID-nk6g-hhsk-8kaw
Aliases:
CVE-2013-0277
GHSA-fhj9-cjjh-27vm
OSV-90073
Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 There is a vulnerability in the serialized attribute handling code in Ruby on Rails, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities.
3.1.0
Affected by 22 other vulnerabilities.
VCID-rq7w-zmh4-17e1
Aliases:
CVE-2012-2661
GHSA-fh39-v733-mxfr
OSV-82403
SQL injection vulnerability in Active Record Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.
3.0.13
Affected by 19 other vulnerabilities.
3.1.0.beta1
Affected by 22 other vulnerabilities.
3.1.5
Affected by 20 other vulnerabilities.
3.2.0.rc1
Affected by 22 other vulnerabilities.
3.2.4
Affected by 20 other vulnerabilities.
VCID-xa94-z6yu-skf8
Aliases:
CVE-2013-1854
GHSA-3crr-9vmg-864v
OSV-91453
Symbol DoS vulnerability in Active Record When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately.
3.0.0
Affected by 22 other vulnerabilities.
3.1.12
Affected by 16 other vulnerabilities.
3.2.13
Affected by 16 other vulnerabilities.
VCID-y54w-a8kr-suhy
Aliases:
CVE-2011-0448
GHSA-jmm9-2p29-vh2w
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
3.0.4
Affected by 21 other vulnerabilities.
3.0.5.rc1
Affected by 21 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T15:18:32.761833+00:00 Ruby Importer Affected by VCID-j8zg-kq3z-jqcm https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2010-3933.yml 38.0.0
2026-04-01T15:18:32.688965+00:00 Ruby Importer Affected by VCID-y54w-a8kr-suhy https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.yml 38.0.0
2026-04-01T15:18:32.624304+00:00 Ruby Importer Affected by VCID-hbtn-7423-m3gb https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0276.yml 38.0.0
2026-04-01T15:18:32.535069+00:00 Ruby Importer Affected by VCID-rq7w-zmh4-17e1 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2661.yml 38.0.0
2026-04-01T15:18:32.470618+00:00 Ruby Importer Affected by VCID-4cky-r218-dkbb https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-2930.yml 38.0.0
2026-04-01T15:18:32.447150+00:00 Ruby Importer Affected by VCID-nk6g-hhsk-8kaw https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0277.yml 38.0.0
2026-04-01T15:18:32.338755+00:00 Ruby Importer Affected by VCID-xa94-z6yu-skf8 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-1854.yml 38.0.0
2026-04-01T15:18:32.293092+00:00 Ruby Importer Affected by VCID-j7p8-hchp-xbe3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0155.yml 38.0.0