| Vulnerability Name: | CVE-2011-0448 (CCN-65328) | ||||||||
| Assigned: | 2011-02-09 | ||||||||
| Published: | 2011-02-09 | ||||||||
| Updated: | 2019-08-08 | ||||||||
| Summary: | Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. | ||||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-89 | ||||||||
| Vulnerability Consequences: | Data Manipulation | ||||||||
| References: | Source: MITRE Type: CNA CVE-2011-0448 Source: MLIST Type: Patch [rubyonrails-security] 20110209 Potential SQL Injection in Rails 3.0.x Source: FEDORA Type: UNKNOWN FEDORA-2011-4358 Source: CCN Type: Ruby on Rails Web Site Ruby on Rails Source: CCN Type: SA43278 Ruby on Rails Filter Bypass and SQL Injection Vulnerabilities Source: SECUNIA Type: Vendor Advisory 43278 Source: SECTRACK Type: UNKNOWN 1025063 Source: CONFIRM Type: Patch http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 Source: CCN Type: OSVDB ID: 70905 Ruby on Rails limit() Function SQL Injection Source: CCN Type: BID-46292 Ruby on Rails Security Bypass and SQL Injection Vulnerabilities Source: VUPEN Type: UNKNOWN ADV-2011-0877 Source: XF Type: UNKNOWN rubyonrails-limit-sql-injection(65328) | ||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||
| Oval Definitions | |||||||||
| |||||||||
| BACK | |||||||||