UNKNOWN RubyGems
activerecord vulnerable to SQL Injection
GHSA-jmm9-2p29-vh2w · CVE-2011-0448
Published · Modified
Description
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2011-0448
- WEB https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474
- PACKAGE https://github.com/rails/rails
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.yml
- WEB https://web.archive.org/web/20201220214809/http://securitytracker.com/id?1025063
- WEB http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain
- WEB http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
- WEB http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
Ready to move
Start Securing
Free, no credit card | First findings in minutes