CVE-2014-3482: SQL Injection in Active Record
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.79798%
CWE
Published
10/24/2017
Updated
3/14/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
activerecord | rubygems | >= 2.0.0, < 3.2.19 | 3.2.19 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper regex anchoring in bitstring validation within the quote
method. The patch changes regex delimiters from ^/$
(which match line start/end) to \A/\Z
(which match string start/end), indicating the vulnerable code path was in the bitstring handling branch of the quote
method. This function would appear in stack traces when processing user input for PostgreSQL
bitstring columns, making it the primary runtime indicator.