CVE-2014-3483

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://openwall.com/lists/oss-security/2014/07/02/5
http://rhn.redhat.com/errata/RHSA-2014-0877.html
http://secunia.com/advisories/59971
http://secunia.com/advisories/60214
http://www.debian.org/security/2014/dsa-2982
http://www.securityfocus.com/bid/68341
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J
http://openwall.com/lists/oss-security/2014/07/02/5
http://rhn.redhat.com/errata/RHSA-2014-0877.html
http://secunia.com/advisories/59971
http://secunia.com/advisories/60214
http://www.debian.org/security/2014/dsa-2982
http://www.securityfocus.com/bid/68341
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rubyonrails:rails:4.0.0:-::::::
	cpe:2.3:a:rubyonrails:rails:4.0.0:beta::::::
	cpe:2.3:a:rubyonrails:rails:4.0.0:rc1::::::
	cpe:2.3:a:rubyonrails:rails:4.0.0:rc2::::::
	cpe:2.3:a:rubyonrails:rails:4.0.1:-::::::
	cpe:2.3:a:rubyonrails:rails:4.0.1:rc1::::::
	cpe:2.3:a:rubyonrails:rails:4.0.1:rc2::::::
	cpe:2.3:a:rubyonrails:rails:4.0.1:rc3::::::
	cpe:2.3:a:rubyonrails:rails:4.0.1:rc4::::::
	cpe:2.3:a:rubyonrails:rails:4.0.2:::::::*
	cpe:2.3:a:rubyonrails:rails:4.0.3:::::::*
	cpe:2.3:a:rubyonrails:rails:4.0.4:::::::*
	cpe:2.3:a:rubyonrails:rails:4.0.5:::::::*
	cpe:2.3:a:rubyonrails:rails:4.0.6:::::::*
	cpe:2.3:a:rubyonrails:rails:4.0.6:rc1::::::
	cpe:2.3:a:rubyonrails:rails:4.0.6:rc2::::::
	cpe:2.3:a:rubyonrails:rails:4.0.6:rc3::::::
	cpe:2.3:a:rubyonrails:rails:4.1.0:-::::::
	cpe:2.3:a:rubyonrails:rails:4.1.0:beta1::::::
	cpe:2.3:a:rubyonrails:rails:4.1.1:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.2:::::::*
	cpe:2.3:a:rubyonrails:rails:4.1.2:rc1::::::
	cpe:2.3:a:rubyonrails:rails:4.1.2:rc2::::::
	cpe:2.3:a:rubyonrails:rails:4.1.2:rc3::::::

History

21 Nov 2024, 02:08

Type	Values Removed	Values Added
References	~~() http://openwall.com/lists/oss-security/2014/07/02/5 -~~	() http://openwall.com/lists/oss-security/2014/07/02/5 -
References	~~() http://rhn.redhat.com/errata/RHSA-2014-0877.html -~~	() http://rhn.redhat.com/errata/RHSA-2014-0877.html -
References	~~() http://secunia.com/advisories/59971 -~~	() http://secunia.com/advisories/59971 -
References	~~() http://secunia.com/advisories/60214 -~~	() http://secunia.com/advisories/60214 -
References	~~() http://www.debian.org/security/2014/dsa-2982 -~~	() http://www.debian.org/security/2014/dsa-2982 -
References	~~() http://www.securityfocus.com/bid/68341 -~~	() http://www.securityfocus.com/bid/68341 -
References	~~() https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J -~~	() https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J -

Information

Published : 2014-07-07 11:01

Updated : 2025-04-12 10:46

NVD link : CVE-2014-3483

Mitre link : CVE-2014-3483

CVE.ORG link : CVE-2014-3483

JSON object : View

Products Affected

rubyonrails

rails

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2014-3483", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-07-07T11:01:30.573", "references": [{"url": "http://openwall.com/lists/oss-security/2014/07/02/5", "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2014-0877.html", "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/59971", "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/60214", "source": "secalert@redhat.com"}, {"url": "http://www.debian.org/security/2014/dsa-2982", "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/68341", "source": "secalert@redhat.com"}, {"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J", "source": "secalert@redhat.com"}, {"url": "http://openwall.com/lists/oss-security/2014/07/02/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2014-0877.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/59971", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/60214", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.debian.org/security/2014/dsa-2982", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/68341", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb en el adaptador PostgreSQL para Active Record en Ruby on Rails 4.x anterior a 4.0.7 y 4.1.x anterior a 4.1.3 permite a atacantes remotos ejecutar comandos SQL arbitrarios mediante el aprovechamiento de el citado de rangos indebido."}], "lastModified": "2025-04-12T10:46:40.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}

7.5 /10