Search for packages
| purl | pkg:gem/activerecord@4.1.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2efj-tf8d-dfck
Aliases: CVE-2014-3514 GHSA-9rf5-jm6f-2fmm |
Strong Parameter bypass with create_with The `create_with` functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection. |
Affected by 12 other vulnerabilities. |
|
VCID-4cky-r218-dkbb
Aliases: CVE-2011-2930 GHSA-h6w6-xmqv-7q78 |
activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. | There are no reported fixed by versions. |
|
VCID-5mr1-tzkd-v3ae
Aliases: GHSA-hm48-76wh-q86v |
High severity vulnerability that affects activerecord Withdrawn, accidental duplicate publish. activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls. |
Affected by 12 other vulnerabilities. |
|
VCID-9t7a-muwx-zyee
Aliases: CVE-2016-6317 GHSA-pr3r-4wrp-r2pv |
Improper Access Control The Rails gem does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing `WHERE` clauses via a crafted request. |
Affected by 9 other vulnerabilities. |
|
VCID-bsxw-gh14-rbef
Aliases: CVE-2012-2695 GHSA-76wq-xw4h-f8wj |
activerecord vulnerable to SQL Injection The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. | There are no reported fixed by versions. |
|
VCID-eb5z-q7rj-j7hh
Aliases: CVE-2013-3221 GHSA-f57c-hx33-hvh8 |
Active Record component in Ruby on Rails has a data-type injection vulnerability The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. |
Affected by 13 other vulnerabilities. |
|
VCID-f4h5-8f57-3uhr
Aliases: GHSA-7phj-gmgx-2r66 |
Moderate severity vulnerability that affects activerecord Withdrawn, accidental duplicate publish. activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-j8zg-kq3z-jqcm
Aliases: CVE-2010-3933 GHSA-gjxw-5w2q-7grf |
Improper Input Validation Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. | There are no reported fixed by versions. |
|
VCID-n8r7-wthv-fqaj
Aliases: CVE-2022-32224 GHSA-3hhc-qp5v-9p2j GMS-2022-3029 |
Active Record RCE bug with Serialized Columns When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-nzeb-cy9e-tkax
Aliases: CVE-2008-4094 GHSA-xf96-32q2-9rw2 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | There are no reported fixed by versions. |
|
VCID-sygb-mygd-s3gb
Aliases: CVE-2022-44566 GHSA-579w-22j4-4749 GMS-2023-59 |
Duplicate This advisory duplicates another. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-thx6-usb2-kkgc
Aliases: CVE-2015-7577 GHSA-xrr6-3pc4-m447 |
Nested attributes rejection proc bypass When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. The `allow_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could set attributes to invalid values or clear all the attributes. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-y54w-a8kr-suhy
Aliases: CVE-2011-0448 GHSA-jmm9-2p29-vh2w |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. | There are no reported fixed by versions. |
|
VCID-zqzx-avvt-wkhm
Aliases: CVE-2025-55193 GHSA-76r7-hhxj-r776 |
Active Record logging vulnerable to ANSI escape injection This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||