GHSA-jmm9-2p29-vh2w

Suggest an improvement
Source
https://github.com/advisories/GHSA-jmm9-2p29-vh2w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-jmm9-2p29-vh2w/GHSA-jmm9-2p29-vh2w.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-jmm9-2p29-vh2w
Aliases
  • CVE-2011-0448
Published
2017-10-24T18:33:38Z
Modified
2024-11-28T05:41:04.471931Z
Summary
activerecord vulnerable to SQL Injection
Details

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

Database specific
{
    "nvd_published_at": "2011-02-21T18:00:01Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:43:51Z"
}
References

Affected packages

RubyGems / activerecord

Package

Name
activerecord
Purl
pkg:gem/activerecord

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.4

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1