CVE-2011-0448

EPSS 0.69%

activerecord vulnerable to SQL Injection

發布日:2017/10/24修改日:2024/11/28

描述

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

受影響套件(1)

RubyGems/activerecord>= 3.0.0, < 3.0.4

參考連結(8)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2011-0448
PATCHhttps://github.com/rails/rails
WEBhttp://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain
WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
WEBhttps://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474
WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.yml
WEBhttps://web.archive.org/web/20201220214809/http://securitytracker.com/id?1025063
WEBhttp://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4