activerecord

RubyGems23 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting activerecordpage 1 of 1

CVE-2008-4094NONECVSS 0.0EG 0.0✓ Fixed in 2.1.1
2008-09-30
vulnerable: 1.0.0 ... 2.1.0 (39 versions)
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack…
CVE-2010-3933NONECVSS 0.0EG 0.0✓ Fixed in 3.0.1
2010-10-28
vulnerable: 3.0.0
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
CVE-2011-0448NONECVSS 0.0EG 0.0✓ Fixed in 3.0.4
2011-02-21
vulnerable: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4.rc1
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
CVE-2011-2930NONECVSS 0.0EG 0.0✓ Fixed in 3.1.0.rc5
2011-08-29
vulnerable: 3.1.0.beta1, 3.1.0.rc1, 3.1.0.rc2, 3.1.0.rc3, 3.1.0.rc4
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow…
CVE-2012-2661NONECVSS 0.0EG 0.0✓ Fixed in 3.2.4
2012-06-22
vulnerable: 3.2.0 ... 3.2.4.rc1 (8 versions)
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers …
CVE-2012-2695NONECVSS 0.0EG 0.0✓ Fixed in 2.3.15
2012-06-22
vulnerable: 1.0.0 ... 2.3.9.pre (57 versions)
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to con…
CVE-2012-6496NONECVSS 0.0EG 0.0✓ Fixed in 2.3.15
2013-01-04
vulnerable: 1.0.0 ... 2.3.9.pre (57 versions)
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect…
CVE-2013-0155NONECVSS 0.0EG 0.0✓ Fixed in 3.2.11
2013-01-13
vulnerable: 3.2.0 ... 3.2.9.rc3 (21 versions)
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to …
CVE-2013-0276NONECVSS 0.0EG 0.0✓ Fixed in 3.2.12
2013-02-13
vulnerable: 3.2.0 ... 3.2.9.rc3 (22 versions)
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
CVE-2013-0277NONECVSS 0.0EG 0.0✓ Fixed in 3.1.0
2013-02-13
vulnerable: 3.0.0 ... 3.1.0.rc8 (45 versions)
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YA…
CVE-2013-1854NONECVSS 0.0EG 0.0✓ Fixed in 3.2.13
2013-03-19
vulnerable: 3.2.0 ... 3.2.9.rc3 (25 versions)
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via cra…
CVE-2013-3221NONECVSS 0.0EG 0.0✓ Fixed in 4.2.0
2013-04-22
vulnerable: 1.0.0 ... 4.2.0.rc3 (255 versions)
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier …
CVE-2014-0080NONECVSS 0.0EG 0.0✓ Fixed in 4.1.0.beta2
2014-02-20
vulnerable: 4.1.0.beta1
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add da…
CVE-2014-3482NONECVSS 0.0EG 0.0✓ Fixed in 3.2.19
2014-07-07
vulnerable: 2.0.0 ... 3.2.9.rc3 (137 versions)
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL…
CVE-2014-3483NONECVSS 0.0EG 0.0✓ Fixed in 4.1.3
2014-07-07
vulnerable: 4.1.0 ... 4.1.2.rc3 (6 versions)
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute…
CVE-2014-3514NONECVSS 0.0EG 0.0✓ Fixed in 4.1.5
2014-08-20
vulnerable: 4.1.0 ... 4.1.4 (8 versions)
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an appli…
CVE-2015-7577MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.0.0.beta1.1
2016-02-16
vulnerable: 5.0.0.beta1
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certai…
CVE-2016-6317HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.7.1
2016-09-07
vulnerable: 4.2.0 ... 4.2.7.rc1 (20 versions)
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-que…
CVE-2021-22880HIGHCVSS 7.5EG 7.5✓ Fixed in 6.1.2.1
2021-02-11
vulnerable: 6.1.0, 6.1.1, 6.1.2
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQ…
CVE-2022-32224CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.2.8.1
2022-12-05
vulnerable: 1.0.0 ... 5.2.8 (362 versions)
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL in…
CVE-2022-44566HIGHCVSS 7.5EG 7.5✓ Fixed in 7.0.4.1
2023-02-09
vulnerable: 7.0.0 ... 7.0.4 (10 versions)
A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target colu…
CVE-2023-22794HIGHCVSS 8.8EG 8.8✓ Fixed in 7.0.4.1
2023-02-09
vulnerable: 7.0.0 ... 7.0.4 (10 versions)
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs …
CVE-2025-55193LOWCVSS 2.7EG 0.0✓ Fixed in 7.1.5.2
2025-08-13
vulnerable: 1.0.0 ... 7.1.5.1 (480 versions)
Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unes…

Check whether activerecord is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for activerecord CVEs against the assets you own.

Start Free Scan →