7.5
CVSSv2

CVE-2014-3482

Published: 07/07/2014 Updated: 08/08/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x prior to 3.2.19 allows remote malicious users to execute arbitrary SQL commands by leveraging improper bitstring quoting.

Affected Products

Vendor Product Versions
RubyonrailsRails2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.15, 2.3.16, 2.3.18, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.15, 3.2.16, 3.2.17, 3.2.18
RubyonrailsRuby On Rails2.3.17, 3.0.4

Vendor Advisories

Sean Griffin discovered two vulnerabilities in the PostgreSQL adapter for Active Record which could lead to SQL injection For the stable distribution (wheezy), these problems have been fixed in version 326-5+deb7u1 Debian provides two variants of Ruby on Rails in Wheezy (23 and 32) Support for the 23 variants had to be ceased at this point ...
It was discovered that Active Record did not properly quote values of the bitstring type attributes when using the PostgreSQL database adapter A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record ...