CVE-2008-4094
Ruby on Rails < 2.1.1 - SQL Injection via :limit and :offset Parameters
Title source: llmDescription
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
References (15)
Core 15
Core References
Various Sources x_refsource_confirm
http://gist.github.com/8946
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/45109
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2008/09/13/2
Patch x_refsource_confirm
http://rails.lighthouseapp.com/projects/8994/tickets/964
Patch x_refsource_confirm
http://rails.lighthouseapp.com/projects/8994/tickets/288
Exploit, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31875
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
Exploit, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31910
Exploit x_refsource_misc
http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1020871
Exploit x_refsource_misc
http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2008/09/16/1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/31176
Exploit, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31909
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2562
Scores
EPSS
0.0312
EPSS Percentile
87.0%
Details
CWE
CWE-89
Status
published
Products (48)
rubygems/activerecord
0 - 2.1.1RubyGems
rubyonrails/rails
0.9.1
rubyonrails/rails
0.9.2
rubyonrails/rails
0.9.3
rubyonrails/rails
0.9.4
rubyonrails/rails
0.9.4.1
rubyonrails/rails
0.10.0
rubyonrails/rails
0.10.1
rubyonrails/rails
0.11.0
rubyonrails/rails
0.11.1
... and 38 more
Published
Sep 30, 2008
Tracked Since
Feb 18, 2026