{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-07-02T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-05-04T16:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2014:0877", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0877.html"}, {"name": "59971", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/59971"}, {"name": "[oss-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2014/07/02/5"}, {"name": "[rubyonrails-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"}, {"name": "60214", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/60214"}, {"name": "DSA-2982", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2982"}, {"name": "68341", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/68341"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3483", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2014:0877", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-0877.html"}, {"name": "59971", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/59971"}, {"name": "[oss-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2014/07/02/5"}, {"name": "[rubyonrails-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", "refsource": "MLIST", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"}, {"name": "60214", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60214"}, {"name": "DSA-2982", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2982"}, {"name": "68341", "refsource": "BID", "url": "http://www.securityfocus.com/bid/68341"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:43:06.187Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2014:0877", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0877.html"}, {"name": "59971", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/59971"}, {"name": "[oss-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2014/07/02/5"}, {"name": "[rubyonrails-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"}, {"name": "60214", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/60214"}, {"name": "DSA-2982", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2982"}, {"name": "68341", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/68341"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3483", "datePublished": "2014-07-07T10:00:00.000Z", "dateReserved": "2014-05-14T00:00:00.000Z", "dateUpdated": "2024-08-06T10:43:06.187Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb en el adaptador PostgreSQL para Active Record en Ruby on Rails 4.x anterior a 4.0.7 y 4.1.x anterior a 4.1.3 permite a atacantes remotos ejecutar comandos SQL arbitrarios mediante el aprovechamiento de el citado de rangos indebido."}], "id": "CVE-2014-3483", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-07-07T11:01:30.573", "references": [{"source": "secalert@redhat.com", "url": "http://openwall.com/lists/oss-security/2014/07/02/5"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2014-0877.html"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/59971"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/60214"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2014/dsa-2982"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/68341"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2014/07/02/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2014-0877.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/59971"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/60214"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2014/dsa-2982"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/68341"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Ruby on Rails project for reporting this issue. Upstream acknowledges Sean Griffin (thoughtbot) as the original reporter.", "affected_release": [{"advisory": "RHSA-2014:0877", "cpe": "cpe:/a:redhat:rhel_software_collections:1::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-2.2.el6", "product_name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux 6", "release_date": "2014-07-14T00:00:00Z"}, {"advisory": "RHSA-2014:0877", "cpe": "cpe:/a:redhat:rhel_software_collections:1::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-2.2.el6", "product_name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS", "release_date": "2014-07-14T00:00:00Z"}, {"advisory": "RHSA-2014:0877", "cpe": "cpe:/a:redhat:rhel_software_collections:1::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-2.2.el7", "product_name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux 7", "release_date": "2014-07-14T00:00:00Z"}], "bugzilla": {"description": "rubygem-activerecord: SQL injection vulnerability in 'range' quoting", "id": "1114427", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1114427"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "cwe": "CWE-89", "details": ["SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.", "It was discovered that Active Record did not properly quote values of the range type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record."], "name": "CVE-2014-3483", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:redhat:openstack:3", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "Red Hat OpenStack Platform 3"}, {"cpe": "cpe:/a:redhat:openstack:4", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "Red Hat OpenStack Platform 4"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:1", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2014-07-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3483\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3483"], "threat_severity": "Moderate"}

{}