Search for packages
| purl | pkg:gem/activerecord@3.2.12 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2efj-tf8d-dfck
Aliases: CVE-2014-3514 GHSA-9rf5-jm6f-2fmm |
Strong Parameter bypass with create_with The `create_with` functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection. |
Affected by 12 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-3m2y-wy1w-n7h1
Aliases: CVE-2014-3483 GHSA-r8fh-hq2p-7qhq OSV-108665 |
SQL Injection Vulnerabilities Affecting PostgreSQL SQLi vulnerability in activerecord. |
Affected by 14 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-4cky-r218-dkbb
Aliases: CVE-2011-2930 GHSA-h6w6-xmqv-7q78 |
activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. | There are no reported fixed by versions. |
|
VCID-bsxw-gh14-rbef
Aliases: CVE-2012-2695 GHSA-76wq-xw4h-f8wj |
activerecord vulnerable to SQL Injection The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. | There are no reported fixed by versions. |
|
VCID-eb5z-q7rj-j7hh
Aliases: CVE-2013-3221 GHSA-f57c-hx33-hvh8 |
Active Record component in Ruby on Rails has a data-type injection vulnerability The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. |
Affected by 13 other vulnerabilities. |
|
VCID-f4h5-8f57-3uhr
Aliases: GHSA-7phj-gmgx-2r66 |
Moderate severity vulnerability that affects activerecord Withdrawn, accidental duplicate publish. activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. |
Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-j8zg-kq3z-jqcm
Aliases: CVE-2010-3933 GHSA-gjxw-5w2q-7grf |
Improper Input Validation Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. | There are no reported fixed by versions. |
|
VCID-n5fx-u6fs-vydu
Aliases: CVE-2014-0080 GHSA-hqf9-rc9j-5fmj OSV-103438 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-n8r7-wthv-fqaj
Aliases: CVE-2022-32224 GHSA-3hhc-qp5v-9p2j GMS-2022-3029 |
Active Record RCE bug with Serialized Columns When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-nzeb-cy9e-tkax
Aliases: CVE-2008-4094 GHSA-xf96-32q2-9rw2 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | There are no reported fixed by versions. |
|
VCID-sb9g-rdnm-rqbm
Aliases: CVE-2014-3482 GHSA-mhwp-qhpc-h3jm OSV-108664 |
SQL Injection in Active Record SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. |
Affected by 12 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-sygb-mygd-s3gb
Aliases: CVE-2022-44566 GHSA-579w-22j4-4749 GMS-2023-59 |
Duplicate This advisory duplicates another. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-thx6-usb2-kkgc
Aliases: CVE-2015-7577 GHSA-xrr6-3pc4-m447 |
Nested attributes rejection proc bypass When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. The `allow_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could set attributes to invalid values or clear all the attributes. |
Affected by 9 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-xa94-z6yu-skf8
Aliases: CVE-2013-1854 GHSA-3crr-9vmg-864v OSV-91453 |
Symbol DoS vulnerability in Active Record When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately. |
Affected by 16 other vulnerabilities. |
|
VCID-y54w-a8kr-suhy
Aliases: CVE-2011-0448 GHSA-jmm9-2p29-vh2w |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. | There are no reported fixed by versions. |
|
VCID-zqzx-avvt-wkhm
Aliases: CVE-2025-55193 GHSA-76r7-hhxj-r776 |
Active Record logging vulnerable to ANSI escape injection This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-hbtn-7423-m3gb | Circumvention of attr_protected The attr_protected method allows developers to specify a denylist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected. |
CVE-2013-0276
GHSA-gr44-7grc-37vq OSV-90072 |