CVE-2011-0448: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
(updated )
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
References
- groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain
- lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
- secunia.com/advisories/43278
- securitytracker.com/id?1025063
- weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
- www.vupen.com/english/advisories/2011/0877
- github.com/advisories/GHSA-jmm9-2p29-vh2w
- nvd.nist.gov/vuln/detail/CVE-2011-0448
Code Behaviors & Features
Detect and mitigate CVE-2011-0448 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →