Search for packages
| purl | pkg:gem/activerecord@3.1 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4cky-r218-dkbb
Aliases: CVE-2011-2930 GHSA-h6w6-xmqv-7q78 |
activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. | There are no reported fixed by versions. |
|
VCID-bsxw-gh14-rbef
Aliases: CVE-2012-2695 GHSA-76wq-xw4h-f8wj |
activerecord vulnerable to SQL Injection The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. |
Affected by 20 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-j7p8-hchp-xbe3
Aliases: CVE-2013-0155 GHSA-gppp-5xc5-wfpx OSV-89025 |
Unsafe Query Generation Risk in Ruby on Rails Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it. |
Affected by 18 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-kkbt-pr7u-f7gn
Aliases: CVE-2012-6496 GHSA-gh2w-j7cx-2664 OSV-88661 |
Active Record contains SQL Injection SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. |
Affected by 19 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-phxs-zet8-ryh3
Aliases: CVE-2012-2660 GHSA-hgpp-pp89-4fgf OSV-82610 |
SQL Injection Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places. |
Affected by 20 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-rq7w-zmh4-17e1
Aliases: CVE-2012-2661 GHSA-fh39-v733-mxfr OSV-82403 |
SQL injection vulnerability in Active Record Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. |
Affected by 20 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-thx6-usb2-kkgc
Aliases: CVE-2015-7577 GHSA-xrr6-3pc4-m447 |
Nested attributes rejection proc bypass When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. The `allow_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could set attributes to invalid values or clear all the attributes. |
Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-xa94-z6yu-skf8
Aliases: CVE-2013-1854 GHSA-3crr-9vmg-864v OSV-91453 |
Symbol DoS vulnerability in Active Record When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately. |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||