ADVISORIES

• CVE-2011-0448 (NVD)
• GHSA-jmm9-2p29-vh2w
• Vendor Advisory

GEM

activerecord

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v2.0: 7.5 (High)

UNAFFECTED VERSIONS

• < 3.0.0

PATCHED VERSIONS

• ~> 2.3.11
• > 3.0.4

DESCRIPTION

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2011-0448
• http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
• https://groups.google.com/g/rubyonrails-security/c/tliQLPa_Tu0/m/rUCt9kyGGU4J
• https://github.com/advisories/GHSA-jmm9-2p29-vh2w
• http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
• https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43278
• https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1025063