Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2011-0448

Good to know:

icon

Date: February 20, 2011

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

Language: Ruby

Severity Score

Related Resources (12)

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
http://www.vupen.com/english/advisories/2011/0877
http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
https://github.com/rails/rails
https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474
https://web.archive.org/web/20201220214809/http://securitytracker.com/id?1025063
http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.yml
https://nvd.nist.gov/vuln/detail/CVE-2011-0448
http://securitytracker.com/id?1025063
http://secunia.com/advisories/43278
https://www.mend.io/vulnerability-database/CVE-2011-0448

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

icon

Upgrade Version

Upgrade to version activerecord - 3.0.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): LOW

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us