GitHub Advisory DatabaseGHSA-JMM9-2P29-VH2W

HistoryOct 24, 2017 - 6:33 p.m.

activerecord vulnerable to SQL Injection

2017-10-2418:33:38

CWE-89

GitHub Advisory Database

github.com

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

70.8%

JSON

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

Affected configurations

Vulners

Node

activerecord_projectactiverecordRange<3.0.4ruby

CPENameOperatorVersion
activerecordlt3.0.4

CPE	Name	Operator	Version
	activerecord	lt	3.0.4

References

groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain

lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html

weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

github.com/advisories/GHSA-jmm9-2p29-vh2w

github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474

github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.yml

nvd.nist.gov/vuln/detail/CVE-2011-0448

web.archive.org/web/20201220214809/securitytracker.com/id?1025063

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

70.8%

JSON

Related for GHSA-JMM9-2P29-VH2W