CVE-2014-0080

medium

Published 2014-02-18 · Modified 2024-12-08

CVSS v3

—

CVSS v2

6.8

VIR risk

6.8

Description

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-0080

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`0`
debian	bullseye	fixed	`0`
debian	forky	fixed	`0`
debian	sid	fixed	`0`
debian	trixie	fixed	`0`

Package impact

Ecosystem	Package	Vulnerable	Fixed
RubyGems	activerecord	`!< 3.2.0,!~> 3.2.0\|\|<~> 4.0.3`	`~> 4.0.3`
RubyGems	activerecord	`>=4.0.0,<4.0.3`	`4.0.3`
RubyGems	activerecord	`>=4.1.0.beta1,<4.1.0.beta2`	`4.1.0.beta2`

Application impact

Vendor	Product	Versions
rubyonrails	rails	`4.0.0`
rubyonrails	rails	`4.0.1`
rubyonrails	rails	`4.0.2`
rubyonrails	rails	`4.1.0`

References

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.