RubySec

Providing security resources for the Ruby community

CVE-2011-2930 (activerecord): SQL Injection Vulnerability in quote_table_name in rails/activerecord

ADVISORIES

GEM

activerecord

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

  • ~> 2.3.13
  • ~> 3.0.10
  • ~> 3.1.0.rc5
  • >= 3.1.0

DESCRIPTION

Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.

RELATED