activerecord vulnerable to SQL Injection
High severity
GitHub Reviewed
Published
Oct 24, 2017
to the GitHub Advisory Database
•
Updated Nov 10, 2023
Package
Affected versions
>= 2.0.0, < 2.3.13
>= 3.0.0, < 3.0.10
Patched versions
2.3.13
3.0.10
Description
Published by the National Vulnerability Database
Aug 29, 2011
Published to the GitHub Advisory Database
Oct 24, 2017
Reviewed
Jun 16, 2020
Last updated
Nov 10, 2023
Multiple SQL injection vulnerabilities in the
quote_table_name
method in the ActiveRecord adapters inactiverecord/lib/active_record/connection_adapters/
in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.References