CVE-2008-4094 – activerecord

Package

Manager: gem
Name: activerecord
Vulnerable Version: >=0 <2.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02897 pctl0.85817

Details

Rails ActiveRecord gem vulnerable to SQL injection Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) `:limit` and (2) `:offset` parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

Metadata

Created: 2017-10-24T18:33:38Z
Modified: 2023-05-26T16:40:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-xf96-32q2-9rw2/GHSA-xf96-32q2-9rw2.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-xf96-32q2-9rw2
Finding: F297
Auto approve: 1