RubyGems package
activerecord
pkg:gem/activerecord
Vulnerabilities (23)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-55193 | Low | — | >= 8.0, < 8.0.2.1 | 8.0.2.1 | Aug 13, 2025 | Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been | |
| CVE-2023-22794 | — | >= 6.0.0, < 6.0.6.1 | 6.0.6.1 | Feb 9, 2023 | A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annota | ||
| CVE-2022-44566 | — | < 6.1.7.1 | 6.1.7.1 | Feb 9, 2023 | A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer val | ||
| CVE-2022-32224 | Cri | 9.8 | >= 7.0.0, < 7.0.3.1 | 7.0.3.1 | Dec 5, 2022 | A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an R | |
| CVE-2021-22880 | — | >= 5.0.0, < 5.2.4.5 | 5.2.4.5 | Feb 11, 2021 | The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too m | ||
| CVE-2016-6317 | Hig | 7.5 | >= 4.2.0, < 4.2.7.1 | 4.2.7.1 | Sep 7, 2016 | Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks o | |
| CVE-2015-7577 | Med | 5.3 | >= 3.1.0, < 3.2.22.1 | 3.2.22.1 | Feb 16, 2016 | activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote att | |
| CVE-2014-3514 | — | >= 4.0.0, < 4.0.9 | 4.0.9 | Aug 20, 2014 | activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls. | ||
| CVE-2014-3483 | — | >= 4.0.0, < 4.0.7 | 4.0.7 | Jul 7, 2014 | SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging imp | ||
| CVE-2014-3482 | — | >= 2.0.0, < 3.2.19 | 3.2.19 | Jul 7, 2014 | SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstrin | ||
| CVE-2014-0080 | — | >= 4.0.0, < 4.0.3 | 4.0.3 | Feb 20, 2014 | SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ | ||
| CVE-2013-3221 | — | < 4.2.0 | 4.2.0 | Apr 22, 2013 | The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type | ||
| CVE-2013-1854 | — | >= 2.3.0, < 2.3.18 | 2.3.18 | Mar 19, 2013 | The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. | ||
| CVE-2013-0277 | — | < 2.3.17 | 2.3.17 | Feb 13, 2013 | ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML. | ||
| CVE-2013-0276 | — | < 2.3.17 | 2.3.17 | Feb 13, 2013 | ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request. | ||
| CVE-2013-0155 | — | >= 3.0.0, < 3.0.19 | 3.0.19 | Jan 13, 2013 | Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictio | ||
| CVE-2012-6496 | — | >= 3.0.0.beta, < 3.0.18 | 3.0.18 | Jan 4, 2013 | SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applicati | ||
| CVE-2012-2695 | — | >= 3.0.0.beta, < 3.0.14 | 3.0.14 | Jun 22, 2012 | The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via ne | ||
| CVE-2012-2661 | — | >= 3.0.0, < 3.0.13 | 3.0.13 | Jun 22, 2012 | The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks | ||
| CVE-2011-2930 | — | >= 2.0.0, < 2.3.13 | 2.3.13 | Aug 29, 2011 | Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQ |
- affected >= 8.0, < 8.0.2.1fixed 8.0.2.1
Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been
- CVE-2023-22794Feb 9, 2023affected >= 6.0.0, < 6.0.6.1fixed 6.0.6.1
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annota
- CVE-2022-44566Feb 9, 2023affected < 6.1.7.1fixed 6.1.7.1
A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer val
- affected >= 7.0.0, < 7.0.3.1fixed 7.0.3.1
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an R
- CVE-2021-22880Feb 11, 2021affected >= 5.0.0, < 5.2.4.5fixed 5.2.4.5
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too m
- affected >= 4.2.0, < 4.2.7.1fixed 4.2.7.1
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks o
- affected >= 3.1.0, < 3.2.22.1fixed 3.2.22.1
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote att
- CVE-2014-3514Aug 20, 2014affected >= 4.0.0, < 4.0.9fixed 4.0.9
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.
- CVE-2014-3483Jul 7, 2014affected >= 4.0.0, < 4.0.7fixed 4.0.7
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging imp
- CVE-2014-3482Jul 7, 2014affected >= 2.0.0, < 3.2.19fixed 3.2.19
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstrin
- CVE-2014-0080Feb 20, 2014affected >= 4.0.0, < 4.0.3fixed 4.0.3
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \
- CVE-2013-3221Apr 22, 2013affected < 4.2.0fixed 4.2.0
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type
- CVE-2013-1854Mar 19, 2013affected >= 2.3.0, < 2.3.18fixed 2.3.18
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
- CVE-2013-0277Feb 13, 2013affected < 2.3.17fixed 2.3.17
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
- CVE-2013-0276Feb 13, 2013affected < 2.3.17fixed 2.3.17
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
- CVE-2013-0155Jan 13, 2013affected >= 3.0.0, < 3.0.19fixed 3.0.19
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictio
- CVE-2012-6496Jan 4, 2013affected >= 3.0.0.beta, < 3.0.18fixed 3.0.18
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applicati
- CVE-2012-2695Jun 22, 2012affected >= 3.0.0.beta, < 3.0.14fixed 3.0.14
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via ne
- CVE-2012-2661Jun 22, 2012affected >= 3.0.0, < 3.0.13fixed 3.0.13
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks
- CVE-2011-2930Aug 29, 2011affected >= 2.0.0, < 2.3.13fixed 2.3.13
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQ
Page 1 of 2