Search for packages
| purl | pkg:gem/activerecord@4.0.0.alpha |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9t7a-muwx-zyee
Aliases: CVE-2016-6317 GHSA-pr3r-4wrp-r2pv |
Improper Access Control The Rails gem does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing `WHERE` clauses via a crafted request. |
Affected by 9 other vulnerabilities. |
|
VCID-thx6-usb2-kkgc
Aliases: CVE-2015-7577 GHSA-xrr6-3pc4-m447 |
Nested attributes rejection proc bypass When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. The `allow_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could set attributes to invalid values or clear all the attributes. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:47:05.897257+00:00 | GitLab Importer | Affected by | VCID-9t7a-muwx-zyee | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activerecord/CVE-2016-6317.yml | 38.0.0 |
| 2026-04-01T12:47:00.845650+00:00 | GitLab Importer | Affected by | VCID-thx6-usb2-kkgc | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activerecord/CVE-2015-7577.yml | 38.0.0 |