Data Injection Vulnerability in Active Record
There is a data injection vulnerability in Active Record. Specially
crafted strings can be used to save data in PostgreSQL array columns that may
not be intended. This vulnerability has been assigned the CVE identifier
Versions Affected: 4.0.x, 4.1.0.beta1
Not affected: 3.2.x and older
Fixed Versions: 4.0.3, 4.1.0.beta2
XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human
There is an XSS vulnerability in the number_to_currency, number_to_percentage
and number_to_human helpers in Ruby on Rails. This vulnerability has been
assigned the CVE identifier CVE-2014-0081.
Versions Affected: All.
Fixed Versions: 4.1.0.beta2, 4.0.3, 3.2.17.
Denial of Service Vulnerability in Action View when using render :text
There is a denial of service vulnerability in the text rendering component of
Action View. This vulnerability has been assigned the CVE identifier
Versions Affected: 3.0.x, 3.1.x, 3.2.x
Not affected: 4.0.x
Fixed Versions: 3.2.17
Rails 3.2.17 and 4.0.3 are now in the tree. There are no stable versions at the moment.
(In reply to Hans de Graaff from comment #1)
> Rails 3.2.17 and 4.0.3 are now in the tree. There are no stable versions at
> the moment.
Vulnerable versions have been removed.
Maintainer(s), Thank you for cleanup!
No GLSA needed as there are no stable versions.