CVE-2014-0080CVE-2014-0080

Affected configuration(s):

cpe:/a:rubyonrails:ruby_on_rails:4.0.0:-
cpe:/a:rubyonrails:ruby_on_rails:4.0.0:beta
cpe:/a:rubyonrails:ruby_on_rails:4.0.0:rc1
cpe:/a:rubyonrails:ruby_on_rails:4.0.0:rc2
cpe:/a:rubyonrails:ruby_on_rails:4.0.1:-
cpe:/a:rubyonrails:ruby_on_rails:4.0.1:rc1
cpe:/a:rubyonrails:ruby_on_rails:4.0.1:rc2
cpe:/a:rubyonrails:ruby_on_rails:4.0.1:rc3
cpe:/a:rubyonrails:ruby_on_rails:4.0.1:rc4
cpe:/a:rubyonrails:ruby_on_rails:4.0.2:-
cpe:/a:rubyonrails:ruby_on_rails:4.1.0:beta1

Date published: 2014-02-20T10:27:02.750-05:00

Date last modified: 2014-02-20T19:13:30.407-05:00

CVSS Score: 6.8

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://openwall.com/lists/oss-security/2014/02/18/9

Summary: SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute “add data” SQL commands via vectors involving (backslash) characters that are not properly handled in operations on array columns.

CategoriesUncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.