Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-0080

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2014-0080
Last Modified 20 Feb 2014 07:13:30
Published 20 Feb 2014 10:27:02
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-0080

Summary

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.

Vulnerable Systems

Application

  • Rubyonrails Ruby On Rails 4.0.0

  • Rubyonrails Ruby On Rails 4.0.1

  • Rubyonrails Ruby On Rails 4.0.2

  • Rubyonrails Ruby On Rails 4.1.0


References

MLIST - [rubyonrails-security] 20140218 Data Injection Vulnerability in Active Record (CVE-2014-0080)

MLIST - [oss-security] 20140218 Data Injection Vulnerability in Active Record (CVE-2014-0080)


Last Updated: 27 May 2016 11:04:30