Search for packages
| purl | pkg:gem/activerecord@3.2.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2efj-tf8d-dfck
Aliases: CVE-2014-3514 GHSA-9rf5-jm6f-2fmm |
Strong Parameter bypass with create_with The `create_with` functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection. |
Affected by 12 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-3m2y-wy1w-n7h1
Aliases: CVE-2014-3483 GHSA-r8fh-hq2p-7qhq OSV-108665 |
SQL Injection Vulnerabilities Affecting PostgreSQL SQLi vulnerability in activerecord. |
Affected by 14 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-4cky-r218-dkbb
Aliases: CVE-2011-2930 GHSA-h6w6-xmqv-7q78 |
activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. | There are no reported fixed by versions. |
|
VCID-bsxw-gh14-rbef
Aliases: CVE-2012-2695 GHSA-76wq-xw4h-f8wj |
activerecord vulnerable to SQL Injection The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. |
Affected by 20 other vulnerabilities. |
|
VCID-eb5z-q7rj-j7hh
Aliases: CVE-2013-3221 GHSA-f57c-hx33-hvh8 |
Active Record component in Ruby on Rails has a data-type injection vulnerability The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. |
Affected by 13 other vulnerabilities. |
|
VCID-f4h5-8f57-3uhr
Aliases: GHSA-7phj-gmgx-2r66 |
Moderate severity vulnerability that affects activerecord Withdrawn, accidental duplicate publish. activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. |
Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-hbtn-7423-m3gb
Aliases: CVE-2013-0276 GHSA-gr44-7grc-37vq OSV-90072 |
Circumvention of attr_protected The attr_protected method allows developers to specify a denylist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected. |
Affected by 16 other vulnerabilities. |
|
VCID-j7p8-hchp-xbe3
Aliases: CVE-2013-0155 GHSA-gppp-5xc5-wfpx OSV-89025 |
Unsafe Query Generation Risk in Ruby on Rails Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it. |
Affected by 18 other vulnerabilities. |
|
VCID-j8zg-kq3z-jqcm
Aliases: CVE-2010-3933 GHSA-gjxw-5w2q-7grf |
Improper Input Validation Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. | There are no reported fixed by versions. |
|
VCID-kkbt-pr7u-f7gn
Aliases: CVE-2012-6496 GHSA-gh2w-j7cx-2664 OSV-88661 |
Active Record contains SQL Injection SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. |
Affected by 19 other vulnerabilities. |
|
VCID-n5fx-u6fs-vydu
Aliases: CVE-2014-0080 GHSA-hqf9-rc9j-5fmj OSV-103438 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-n8r7-wthv-fqaj
Aliases: CVE-2022-32224 GHSA-3hhc-qp5v-9p2j GMS-2022-3029 |
Active Record RCE bug with Serialized Columns When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-nk6g-hhsk-8kaw
Aliases: CVE-2013-0277 GHSA-fhj9-cjjh-27vm OSV-90073 |
Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 There is a vulnerability in the serialized attribute handling code in Ruby on Rails, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. | There are no reported fixed by versions. |
|
VCID-nzeb-cy9e-tkax
Aliases: CVE-2008-4094 GHSA-xf96-32q2-9rw2 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | There are no reported fixed by versions. |
|
VCID-phxs-zet8-ryh3
Aliases: CVE-2012-2660 GHSA-hgpp-pp89-4fgf OSV-82610 |
SQL Injection Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places. |
Affected by 20 other vulnerabilities. |
|
VCID-rq7w-zmh4-17e1
Aliases: CVE-2012-2661 GHSA-fh39-v733-mxfr OSV-82403 |
SQL injection vulnerability in Active Record Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. |
Affected by 20 other vulnerabilities. |
|
VCID-sb9g-rdnm-rqbm
Aliases: CVE-2014-3482 GHSA-mhwp-qhpc-h3jm OSV-108664 |
SQL Injection in Active Record SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. |
Affected by 12 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-sygb-mygd-s3gb
Aliases: CVE-2022-44566 GHSA-579w-22j4-4749 GMS-2023-59 |
Duplicate This advisory duplicates another. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-thx6-usb2-kkgc
Aliases: CVE-2015-7577 GHSA-xrr6-3pc4-m447 |
Nested attributes rejection proc bypass When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. The `allow_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could set attributes to invalid values or clear all the attributes. |
Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-xa94-z6yu-skf8
Aliases: CVE-2013-1854 GHSA-3crr-9vmg-864v OSV-91453 |
Symbol DoS vulnerability in Active Record When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately. |
Affected by 16 other vulnerabilities. |
|
VCID-y54w-a8kr-suhy
Aliases: CVE-2011-0448 GHSA-jmm9-2p29-vh2w |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. | There are no reported fixed by versions. |
|
VCID-zqzx-avvt-wkhm
Aliases: CVE-2025-55193 GHSA-76r7-hhxj-r776 |
Active Record logging vulnerable to ANSI escape injection This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-n5fx-u6fs-vydu | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. |
CVE-2014-0080
GHSA-hqf9-rc9j-5fmj OSV-103438 |