Miggo Logo

CVE-2014-3482: SQL Injection in Active Record

N/A

CVSS Score

Basic Information

EPSS Score
0.79798%
Published
10/24/2017
Updated
3/14/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
activerecordrubygems>= 2.0.0, < 3.2.193.2.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper regex anchoring in bitstring validation within the quote method. The patch changes regex delimiters from ^/$ (which match line start/end) to \A/\Z (which match string start/end), indicating the vulnerable code path was in the bitstring handling branch of the quote method. This function would appear in stack traces when processing user input for PostgreSQL bitstring columns, making it the primary runtime indicator.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

SQL inj**tion vuln*r**ility in **tiv*r**or*/li*/**tiv*_r**or*/*onn**tion_***pt*rs/post*r*sql_***pt*r.r* in t** Post*r*SQL ***pt*r *or **tiv* R**or* in Ru*y on R*ils *.x *n* *.x ***or* *.*.** *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry SQL *omm*n*s *

Reasoning

T** vuln*r**ility st*ms *rom improp*r r***x *n**orin* in *itstrin* v*li**tion wit*in t** `quot*` m*t*o*. T** p*t** ***n**s r***x **limit*rs *rom `^/$` (w*i** m*t** lin* st*rt/*n*) to `\*/\Z` (w*i** m*t** strin* st*rt/*n*), in*i**tin* t** vuln*r**l* *