OSVDB-95376: ActiveRecord Gem :limit / :offset SQL Injection

October 10, 2008

The issue is due to the program not properly sanitizing user-supplied input related to the :limit and :offset functions. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

References

github.com/rsim/oracle-enhanced/commit/414b582d1afc4b2626ef7bf57e0987a00d433374
github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord-oracle_enhanced-adapter/OSVDB-95376.yml

Code Behaviors & Features

Detect and mitigate OSVDB-95376 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →