Search for packages
| purl | pkg:gem/activerecord@3.1.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5vcg-bgpn-9fhs
Aliases: CVE-2013-0155 GHSA-gppp-5xc5-wfpx OSV-89025 |
Active Record allows bypassing of database-query restrictions Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694. |
Affected by 17 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-8uqv-cr1v-fbbm
Aliases: CVE-2013-0277 GHSA-fhj9-cjjh-27vm OSV-90073 |
Active Record contains deserialization of arbitrary YAML ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML. | There are no reported fixed by versions. |
|
VCID-a5js-1u9t-bfan
Aliases: CVE-2014-3514 GHSA-9rf5-jm6f-2fmm |
Active Record subject to strong parameters protection bypass `activerecord/lib/active_record/relation/query_methods.rb` in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes `create_with` calls. |
Affected by 11 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-b2vm-7rth-mqhj
Aliases: CVE-2013-1854 GHSA-3crr-9vmg-864v OSV-91453 |
Active Record Improper Input Validation The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-dbvw-1xvz-63b8
Aliases: CVE-2012-2695 GHSA-76wq-xw4h-f8wj |
activerecord vulnerable to SQL Injection The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. |
Affected by 19 other vulnerabilities. |
|
VCID-dp3h-z1zs-ufba
Aliases: CVE-2022-32224 GHSA-3hhc-qp5v-9p2j |
activerecord: Possible RCE escalation bug with Serialized Columns in Active Record |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. |
|
VCID-er3j-4ygz-kqdx
Aliases: CVE-2011-2930 GHSA-h6w6-xmqv-7q78 |
activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. | There are no reported fixed by versions. |
|
VCID-nzb9-vn9k-jbgs
Aliases: CVE-2022-44566 GHSA-579w-22j4-4749 GMS-2023-59 |
Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter There is a potential denial of service vulnerability present in ActiveRecord's PostgreSQL adapter. This has been assigned the CVE identifier CVE-2022-44566. Versions Affected: All. Not affected: None. ## Fixed Versions - 2.3.18.47 (Rails LTS, which is a paid service and not part of the rubygem) - 3.2.22.34 (Rails LTS, which is a paid service and not part of the rubygem) - 4.2.11.27 (Rails LTS, which is a paid service and not part of the rubygem) - 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem) - 6.1.7.1 - 7.0.4.1 ## Impact In ActiveRecord < 7.0.4.1 and < 6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service. ## Releases The fixed releases are available at the normal locations. ## Workarounds Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats. ## Patches To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset. 6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 6.1 series 7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 7.0 series |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-q8un-ngwx-5kaw
Aliases: CVE-2015-7577 GHSA-xrr6-3pc4-m447 |
Active Record Improper Access Control `activerecord/lib/active_record/nested_attributes.rb` in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. |
Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-qv5s-vase-2qas
Aliases: CVE-2014-0080 GHSA-hqf9-rc9j-5fmj OSV-103438 |
Array data injection vulnerability in activerecord SQL injection vulnerability in `activerecord/lib/active_record/connection_adapters/postgresql/cast.rb` in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving `\` (backslash) characters that are not properly handled in operations on array columns. |
Affected by 21 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-seud-h84p-uugv
Aliases: CVE-2014-3482 GHSA-mhwp-qhpc-h3jm OSV-108664 |
SQL Injection in Active Record SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. |
Affected by 11 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-u1sg-z8t6-audk
Aliases: CVE-2014-3483 GHSA-r8fh-hq2p-7qhq OSV-108665 |
Active Record contains SQL Injection via improper range quoting SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting. |
Affected by 12 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-vta6-rneu-jbgg
Aliases: CVE-2013-0276 GHSA-gr44-7grc-37vq OSV-90072 |
ActiveRecord vulnerable to modification of protected model attributes ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the `attr_protected` protection mechanism and modify protected model attributes via a crafted request. |
Affected by 15 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-wz1m-798r-8yez
Aliases: CVE-2008-4094 GHSA-xf96-32q2-9rw2 |
Rails ActiveRecord gem vulnerable to SQL injection Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) `:limit` and (2) `:offset` parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | There are no reported fixed by versions. |
|
VCID-xej7-nkc8-dkez
Aliases: CVE-2012-6496 GHSA-gh2w-j7cx-2664 OSV-88661 |
Active Record contains SQL Injection SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. |
Affected by 18 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-xmwx-eqjn-pba9
Aliases: CVE-2010-3933 GHSA-gjxw-5w2q-7grf |
Rails activerecord gem has Improper Input Validation vulnerability Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. | There are no reported fixed by versions. |
|
VCID-xnj2-tbzn-tff6
Aliases: CVE-2025-55193 GHSA-76r7-hhxj-r776 |
activerecord: Active Record ANSI Injection Vulnerability |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y922-r53a-rke5
Aliases: CVE-2011-0448 GHSA-jmm9-2p29-vh2w |
activerecord vulnerable to SQL Injection Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. | There are no reported fixed by versions. |
|
VCID-zuwm-kmb2-23ay
Aliases: CVE-2013-3221 GHSA-f57c-hx33-hvh8 |
Active Record component in Ruby on Rails has a data-type injection vulnerability The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. |
Affected by 13 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-dbvw-1xvz-63b8 | activerecord vulnerable to SQL Injection The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. |
CVE-2012-2695
GHSA-76wq-xw4h-f8wj |