Version 8.0.1

activerecord

Ruby on Rails

Install Instructions

gem install activerecord
Current Version Release Date December 13, 2024
Language Ruby
Package URL (purl) pkg:gem/activerecord@8.0.1

Find activerecord vulnerabilities in your supply chain.

Scan for Free

activerecord Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2012-2660 Medium 6.4 CWE-943, CWE-264 0.00365 0.72144
  • 3.0.0–3.2.4.rc1
  • 2.0.0–2.3.18
  • 1.0.0–1.15.6
CVE-2012-2661 Medium 5 CWE-89 0.00121 0.46883
  • 3.0.0–3.2.4.rc1
CVE-2012-2695 High 7.5 CWE-89 0.05726 0.93247
  • 3.0.0–3.2.5
  • 2.0.0–2.3.18
  • 1.0.0–1.15.6
CVE-2012-6496 High 7.5 CWE-89 0.00416 0.73804
  • 3.0.0–3.2.9.rc3
  • 2.0.0–2.3.18
  • 1.0.0–1.15.6
CVE-2013-0155 Medium 6.4 CWE-264, CWE-284 0.01969 0.88437
  • 3.0.0–3.2.10
CVE-2013-0277 High 10 CWE-94 0.12887 0.95473
  • 3.0.0–3.1.0.beta1
  • 2.0.0–2.3.16
  • 1.0.0–1.15.6
CVE-2014-3482 High 7.5 CWE-89 0.0092 0.82699
  • 3.0.0–3.2.18
  • 2.0.0–2.3.18
CVE-2022-32224 High 9.8 CWE-502 0.0018 0.55487
  • 7.0.0–7.0.3
  • 6.0.0–6.1.6
  • 5.0.0–5.2.8
  • 4.0.0–4.2.11.3
  • 3.0.0–3.2.22.5
  • 2.0.0–2.3.18
  • 1.0.0–1.15.6
CVE-2022-44566 High 7.5 CWE-400 0.00066 0.30824
  • 7.0.0–7.0.4
  • 6.0.0–6.1.7
  • 5.0.0–5.2.8.1
  • 4.0.0–4.2.11.3
  • 3.0.0–3.2.22.5
  • 2.0.0–2.3.18
  • 1.0.0–1.15.6
CVE-2008-4094 High 7.5 CWE-89 0.00543 0.77221
  • 2.0.0–2.1.0
  • 1.0.0–1.15.6
CVE-2013-0276 Medium 4.3 CWE-264, CWE-284 0.0131 0.85629
  • 3.1.0–3.2.11
  • 2.0.0–2.3.16
  • 1.0.0–1.15.6
CVE-2011-2930 High 7.5 CWE-89 0.00358 0.71879
  • 3.0.0–3.0.10.rc1
  • 2.0.0–2.3.12
CVE-2013-1854 Medium 5 CWE-400, CWE-20 0.08862 0.94562
  • 3.1.0–3.2.13.rc2
  • 2.3.2–2.3.17
CVE-2015-7577 Medium 5.3 CWE-284 0.00678 0.79783
  • 5.0.0.beta1
  • 4.0.0–4.2.5.rc2
  • 3.1.0–3.2.22
CVE-2011-0448 High 7.5 CWE-89 0.00341 0.71205
  • 3.0.0–3.0.4.rc1
CVE-2010-3933 Medium 6.4 CWE-20 0.00376 0.72528
  • 3.0.0
  • 2.3.9
CVE-2014-3483 High 7.5 CWE-89 0.01242 0.85239
  • 4.0.0–4.1.2.rc3
CVE-2014-3514 High 7.5 CWE-264, CWE-74 0.00741 0.80704
  • 4.0.0–4.1.4
CVE-2023-22794 High 8.8 CWE-89 0.00268 0.67346
  • 7.0.0–7.0.4
  • 6.0.0–6.1.7
CVE-2021-22880 High 7.5 CWE-400 0.00721 0.80429
  • 6.0.0–6.1.2
  • 5.0.0–5.2.4.4
CVE-2016-6317 High 7.5 CWE-476, CWE-943, CWE-284 0.00328 0.70595
  • 4.2.0–4.2.7.rc1

activerecord Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2023-22794 A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment. 6.1.6.1, 7.0.3, 6.1.5, 6.1.4.7, 6.1.4.6, 6.0.4.8, 7.0.2, 6.0.4.7 (Show all) Patch → 6.1.7.1
CVE-2022-44566 A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service. 3.0.12, 1.14.4, 3.0.7.rc1, 3.2.4.rc1, 3.1.4.rc1, 3.1.7, 3.2.4, 3.0.2 (Show all) Patch → 6.1.7.1
CVE-2022-32224 A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE. 3.0.12, 1.14.4, 3.0.7.rc1, 3.2.4.rc1, 3.1.4.rc1, 3.1.7, 3.2.4, 3.0.2 (Show all) Patch → 6.1.7.1
CVE-2021-22880 The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. 6.1.2, 5.1.2, 5.1.3, 5.0.1.rc1, 6.0.3.2, 6.0.1, 6.0.0, 5.2.4.3 (Show all) Patch → 6.1.7.1
CVE-2016-6317 Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155. 4.2.7.rc1, 4.2.6, 4.2.2, 4.2.5, 4.2.5.rc1, 4.2.1.rc2, 4.2.5.2, 4.2.0 (Show all) Patch → 6.1.7.1
CVE-2015-7577 activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. 3.2.4.rc1, 3.1.4.rc1, 3.1.7, 3.2.4, 3.2.3, 3.1.5.rc1, 3.2.7.rc1, 3.1.6 (Show all) Patch → 6.1.7.1
CVE-2014-3514 activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls. 4.1.1, 4.0.1, 4.0.2, 4.0.1.rc4, 4.1.2.rc3, 4.1.0, 4.0.6, 4.0.6.rc3 (Show all) Patch → 6.1.7.1
CVE-2014-3483 SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting. 4.1.1, 4.0.1, 4.0.2, 4.0.1.rc4, 4.1.2.rc3, 4.1.0, 4.0.6, 4.0.6.rc3 (Show all) Patch → 6.1.7.1
CVE-2014-3482 SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. 3.0.12, 3.0.7.rc1, 3.2.4.rc1, 3.1.4.rc1, 3.1.7, 3.2.4, 3.0.2, 3.0.6.rc2 (Show all) Patch → 6.1.7.1
CVE-2013-1854 The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. 3.2.4.rc1, 3.1.4.rc1, 3.1.7, 3.2.4, 3.2.3, 2.3.10, 2.3.9.pre, 2.3.4 (Show all) Patch → 6.1.7.1
CVE-2013-0277 ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML. 3.0.12, 1.14.4, 3.0.7.rc1, 3.0.2, 3.0.6.rc2, 3.0.11, 3.0.17, 2.3.10 (Show all) Patch → 6.1.7.1
CVE-2013-0276 ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request. 1.14.4, 3.2.4.rc1, 3.1.4.rc1, 3.1.7, 3.2.4, 3.2.3, 2.3.10, 2.3.9.pre (Show all) Patch → 6.1.7.1
CVE-2013-0155 Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694. 3.0.12, 3.0.7.rc1, 3.2.4.rc1, 3.1.4.rc1, 3.1.7, 3.2.4, 3.0.2, 3.0.6.rc2 (Show all) Patch → 6.1.7.1
CVE-2012-6496 SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. 3.0.12, 1.14.4, 3.0.7.rc1, 3.2.4.rc1, 3.1.4.rc1, 3.1.7, 3.2.4, 3.0.2 (Show all) Patch → 6.1.7.1
CVE-2012-2695 The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. 3.0.12, 1.14.4, 3.0.7.rc1, 3.2.4.rc1, 3.1.4.rc1, 3.2.4, 3.0.2, 3.0.6.rc2 (Show all) Patch → 6.1.7.1
CVE-2012-2661 The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695. 3.0.12, 3.0.7.rc1, 3.2.4.rc1, 3.1.4.rc1, 3.0.2, 3.0.6.rc2, 3.2.3, 3.0.11 (Show all) Patch → 6.1.7.1
CVE-2012-2660 actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694. 3.0.12, 1.14.4, 3.0.7.rc1, 3.2.4.rc1, 3.1.4.rc1, 3.0.2, 3.0.6.rc2, 3.2.3 (Show all) Patch → 6.1.7.1
CVE-2011-2930 Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. 3.0.7.rc1, 3.0.2, 3.0.6.rc2, 2.3.10, 2.3.9.pre, 2.3.4, 2.3.5, 2.1.0 (Show all) Patch → 6.1.7.1
CVE-2011-0448 Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. 3.0.2, 3.0.3, 3.0.1, 3.0.0, 3.0.4.rc1 Patch → 6.1.7.1
CVE-2010-3933 Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. 2.3.9, 3.0.0 Patch → 6.1.7.1
CVE-2008-4094 Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. 1.14.4, 2.1.0, 1.14.2, 1.9.1, 1.13.0, 1.15.6, 1.3.0, 1.13.1 (Show all) Patch → 6.1.7.1

Instantly see if these activerecord vulnerabilities affect your code.

Scan for Free

Dependencies

Packages using versions of activerecord affected by its vulnerabilities

Dependent Packages
activemodel= 8.0.1
activesupport= 8.0.1
timeout>= 0.4.0