CVE-2014-0080

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions 4.0.x through 4.0.2 Ruby on Rails version 4.1.0.beta1

Description The issue allows remote attackers to execute SQL commands via vectors involving backslash characters that are not properly handled in operations on array columns when PostgreSQL is used. This is due to a SQL injection vulnerability in the activerecord/lib/active record/connection adapters/postgresql/cast.rb file in Active Record.

Recommendations For Ruby on Rails versions 4.0.x through 4.0.2, update to version 4.0.3 or later. For Ruby on Rails version 4.1.0.beta1, consider upgrading to a later version that addresses this issue. As a temporary workaround, consider restricting the use of backslash characters in operations on array columns until a patch is available.