← Back

CVE-2022-32224

nvd nist
Published: Dec 5, 2022Modified: May 11, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.

Affected (4)

Activerecord Project
1 product
Activerecord
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Activerecord
Before 5.2.8.1
Activerecord
From 6.0.0 to 6.0.5.1
Activerecord
From 6.1.0 to 6.1.6.1
Activerecord
From 7.0.0 to 7.0.3.1

Related CWEs

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (5)

Source: support@hackerone.com
PatchThird Party Advisory
Source: support@hackerone.com
ExploitMailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitMailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.