CVE-2022-32224

Advisory lineage Upstream: 0 Downstream: 10

Downstream

DEBIAN-CVE-2022-32224 OPENSUSE-SU-2023:0009-1 OPENSUSE-SU-2024:12244-1 OPENSUSE-SU-2024:12879-1 OPENSUSE-SU-2024:14069-1 OPENSUSE-SU-2025:15112-1

Modified

Published: 05 Dec 2022, 00:00

Last modified:11 May 2026, 16:53

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (cve.org)

EPSS Score

1.94% LOW

2% probability -0.31%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

05 Dec 2022, 00:00

Published

Vulnerability first disclosed

11 May 2026, 16:53

Last Modified

Vulnerability information updated

Description

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 1.94%• Percentile: 84%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

activerecord_project•activerecord
< 5.2.8.1 | ≥ 6.0.0, < 6.0.5.1 | ≥ 6.1.0, < 6.1.6.1 | ≥ 7.0.0, < 7.0.3.1