CVE-2011-2930

Ruby on Rails < 2.3.13, 3.0.x < 3.0.10, 3.1.x < 3.1.0.rc5 - SQL Injection via Crafted Column Name

Title source: llm
STIX 2.1

Description

Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.

References (12)

Core 12
Core References
Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/08/17/1
Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/08/22/13
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/08/19/11
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2301
Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/08/20/1
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/08/22/14
Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/08/22/5

Scores

EPSS 0.0095
EPSS Percentile 76.6%

Details

CWE
CWE-89
Status published
Products (28)
rubygems/activerecord 2.0.0 - 2.3.13RubyGems
rubyonrails/rails 2.0.0 (3 CPE variants)
rubyonrails/rails 2.0.1
rubyonrails/rails 2.0.2
rubyonrails/rails 2.0.4
rubyonrails/rails 2.1.0
rubyonrails/rails 2.1.1
rubyonrails/rails 2.1.2
rubyonrails/rails 2.2.0
rubyonrails/rails 2.2.1
... and 18 more
Published Aug 29, 2011
Tracked Since Feb 18, 2026