Lucene search

GoogleOSV:GHSA-JMM9-2P29-VH2W

HistoryOct 24, 2017 - 6:33 p.m.

activerecord vulnerable to SQL Injection

2017-10-2418:33:38

Google

osv.dev

0.003 Low

EPSS

Percentile

70.8%

JSON

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

CPENameOperatorVersion
activerecordeq3.0.0
activerecordeq3.0.2
activerecordeq3.0.1
activerecordeq3.0.3
activerecordeq3.0.4.rc1

Name	Operator	Version
activerecord	eq	3.0.0
activerecord	eq	3.0.2
activerecord	eq	3.0.1
activerecord	eq	3.0.3
activerecord	eq	3.0.4.rc1

References

groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain

lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html

weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

github.com/rails/rails

github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474

github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.yml

nvd.nist.gov/vuln/detail/CVE-2011-0448

web.archive.org/web/20201220214809/securitytracker.com/id?1025063

0.003 Low

EPSS

Percentile

70.8%

JSON

Related for OSV:GHSA-JMM9-2P29-VH2W