Vulnerability CVE-2014-3483

Vulnerability Name:

CVE-2014-3483 (CCN-94250)

Assigned:

2014-07-03

Published:

2014-07-03

Updated:

2019-08-08

Summary:

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-89

Vulnerability Consequences:

Data Manipulation

References:

Source: MITRE
Type: CNA
CVE-2014-3483

Source: MLIST
Type: UNKNOWN
[oss-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0877

Source: CCN
Type: Ruby on Rails Web site
Ruby on Rails

Source: CCN
Type: OSS Security mailing list Web site
[CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL

Source: SECUNIA
Type: UNKNOWN
59971

Source: SECUNIA
Type: UNKNOWN
60214

Source: DEBIAN
Type: UNKNOWN
DSA-2982

Source: BID
Type: UNKNOWN
68341

Source: CCN
Type: BID-68341
Ruby on Rails 'ActiveRecord' CVE-2014-3483 SQL Injection Vulnerability

Source: CCN
Type: Red Hat Security Web site
CVE-2014-3483

Source: XF
Type: UNKNOWN
rubyonrails-cve20143483-sql-injection(94250)

Source: MLIST
Type: UNKNOWN
[rubyonrails-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL

Source: CCN
Type: activerecord Web site
activerecord | RubyGems.org | your community gem host

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-3483

Vulnerable Configuration:

Configuration 1:

cpe:/a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:rubyonrails:rails:4.1.2:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:4.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:24906	P	DSA-2982-1 -- ruby-activerecord-3.2 - security update	2014-10-06
oval:com.ubuntu.cosmic:def:201434830000000	V	CVE-2014-3483 on Ubuntu 18.10 (cosmic) - medium.	2014-07-07
oval:com.ubuntu.artful:def:20143483000	V	CVE-2014-3483 on Ubuntu 17.10 (artful) - medium.	2014-07-07
oval:com.ubuntu.trusty:def:20143483000	V	CVE-2014-3483 on Ubuntu 14.04 LTS (trusty) - medium.	2014-07-07
oval:com.ubuntu.bionic:def:201434830000000	V	CVE-2014-3483 on Ubuntu 18.04 LTS (bionic) - medium.	2014-07-07
oval:com.ubuntu.bionic:def:20143483000	V	CVE-2014-3483 on Ubuntu 18.04 LTS (bionic) - medium.	2014-07-07
oval:com.ubuntu.xenial:def:20143483000	V	CVE-2014-3483 on Ubuntu 16.04 LTS (xenial) - medium.	2014-07-07
oval:com.ubuntu.xenial:def:201434830000000	V	CVE-2014-3483 on Ubuntu 16.04 LTS (xenial) - medium.	2014-07-07
oval:com.ubuntu.cosmic:def:20143483000	V	CVE-2014-3483 on Ubuntu 18.10 (cosmic) - medium.	2014-07-07
oval:com.ubuntu.precise:def:20143483000	V	CVE-2014-3483 on Ubuntu 12.04 LTS (precise) - medium.	2014-07-07

BACK