Updated advisory posts against rubysec/ruby-advisory-db@2a75a71

jasnow · RubySec CI · commit e9f6f915e54f · 2026-01-17T23:52:20.000Z
diff --git a/advisories/_posts/2013-02-25-GHSA-5qw5-wf2q-f538.md b/advisories/_posts/2013-02-25-GHSA-5qw5-wf2q-f538.md
@@ -0,0 +1,37 @@
+---
+layout: advisory
+title: 'GHSA-5qw5-wf2q-f538 (activerecord-jdbc-adapter): ActiveRecord-JDBC-Adapter
+  (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection'
+comments: false
+categories:
+- activerecord-jdbc-adapter
+- jruby
+advisory:
+  gem: activerecord-jdbc-adapter
+  platform: jruby
+  osvdb: 114854
+  ghsa: 5qw5-wf2q-f538
+  url: https://github.com/advisories/GHSA-5qw5-wf2q-f538
+  title: ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub()
+    Function SQL Injection
+  date: 2013-02-25
+  description: |
+    ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying
+    out an SQL injection attack. The issue is due to the sql.gsub() function in
+    lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before
+    using it in SQL queries. This may allow a remote attacker to inject or
+    manipulate SQL queries in the back-end database, allowing for the
+    manipulation or disclosure of arbitrary data.
+  unaffected_versions:
+  - "< 1.2.6"
+  patched_versions:
+  - ">= 1.2.8"
+  related:
+    url:
+    - https://github.com/jruby/activerecord-jdbc-adapter/issues/322
+    - https://github.com/jruby/activerecord-jdbc-adapter/blob/master/lib/arjdbc/jdbc/adapter.rb
+    - https://my.diffend.io/gems/activerecord-jdbc-adapter/1.2.5/1.2.8
+    - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDJDBCADAPTER-20076
+    - https://github.com/advisories/GHSA-5qw5-wf2q-f538
+  notes: "- No CVE, CVSS values.\n"
+---
diff --git a/advisories/_posts/2014-09-29-GHSA-mpwp-4h2m-765c.md b/advisories/_posts/2014-09-29-GHSA-mpwp-4h2m-765c.md
@@ -0,0 +1,35 @@
+---
+layout: advisory
+title: 'GHSA-mpwp-4h2m-765c (activejob): Active Job - Object injection security vulnerability
+  if Global IDs'
+comments: false
+categories:
+- activejob
+- rails
+advisory:
+  gem: activejob
+  framework: rails
+  ghsa: mpwp-4h2m-765c
+  osvdb: 112347
+  url: https://github.com/advisories/GHSA-mpwp-4h2m-765c
+  title: Active Job - Object injection security vulnerability if Global IDs
+  date: 2014-09-29
+  description: |
+    Active Job vulnerability: An Active Job bug allowed String
+    arguments to be deserialized as if they were Global IDs, an
+    object injection security vulnerability.
+
+    * In release post: "Active Job vulnerability:
+      We also fixed an Active Job bug that allowed String
+      arguments to be deserialized as if they were Global IDs,
+      an object injection security vulnerability.
+  patched_versions:
+  - ">= 4.2.0.beta2"
+  related:
+    url:
+    - https://advisories.gitlab.com/pkg/gem/activejob/OSVDB-112347
+    - https://rubyonrails.org/2014/9/29/Rails-4-2-0-beta2-has-been-released
+    - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/OSVDB-112347.yml
+    - https://github.com/advisories/GHSA-mpwp-4h2m-765c
+  notes: "- No CVE or CVSS values.\n"
+---
