CVE-2011-0448
EPSS 0.69%activerecord vulnerable to SQL Injection
Published: 10/24/2017Modified: 11/28/2024
Also known as:GHSA-jmm9-2p29-vh2w
Description
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
Affected packages (1)
- RubyGems/activerecord>= 3.0.0, < 3.0.4
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2011-0448
- PATCHhttps://github.com/rails/rails
- WEBhttp://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
- WEBhttps://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.yml
- WEBhttps://web.archive.org/web/20201220214809/http://securitytracker.com/id?1025063
- WEBhttp://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4