CVE-2014-3482 — Vulnetix

Try Vulnetix Request Demo

CVE-2014-3482 PUBLISHED CVSS 9.300000190734863 CRITICAL

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.

EPSS 1.53% · 81.2th percentile

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

1.53%

81.2th percentile

Affected Products

Vendor	Product	Versions
rubyonrails	rails	3.1.7, 3.2.15, 3.2.16
rubyonrails	ruby_on_rails	3.0.4, 2.3.17
RubyGems	activerecord	2.0.0
n/a	n/a	n/a

Timeline

Jul 7, 2014 CVE Published
Feb 4, 2022 EPSS Score
May 19, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Oct 23, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 28, 2023 EPSS Score
Jul 10, 2023 EPSS Score
Oct 22, 2023 EPSS Score
Feb 3, 2024 EPSS Score
Mar 26, 2024 EPSS Score
Jul 8, 2024 EPSS Score

References

68343 vdb
59973 third-party-advisory
[oss-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL mailing-list
[rubyonrails-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL mailing-list
60214 third-party-advisory
60763 third-party-advisory
RHSA-2014:0876 vendor-advisory
DSA-2982 vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2014-3482 advisory
https://github.com/rails/rails/commit/1f2192e46d78ee0ba2b06373f2c24caf8440ff5b url
https://github.com/rails/rails package
https://groups.google.com/g/rubyonrails-security/c/wDxePLJGZdI url

Open in Interactive Console →