CVE-2014-3483

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.

Published Bysecalert@redhat.com

Published DateJul 07, 2014, 11:01

Affected Versions(2)

activerecord(RubyGems)

Introduced4.0.0

Fixed4.0.7

LimitN/A

activerecord(RubyGems)

Introduced4.1.0

Fixed4.1.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
activerecord(RubyGems)	4.0.0	4.0.7	N/A
activerecord(RubyGems)	4.1.0	4.1.3	N/A

Weakness Type (CWE):CWE-89

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-89

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL