Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-4094

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2008-4094
Last Modified 06 Jul 2012 01:15:54
Published 30 Sep 2008 01:22:09
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-4094

Summary

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

Vulnerable Systems

Application

  • Ruby On Rails 1.1.0

  • Ruby On Rails 1.1.1

  • Ruby On Rails 1.1.2

  • Ruby On Rails 1.1.4

  • Ruby On Rails 1.1.5

  • Ruby On Rails 1.2.4

  • Ruby On Rails 1.2.5

  • Ruby On Rails 2.0.0

  • Ruby On Rails 2.0.2

  • Ruby On Rails 2.0.4

  • Ruby On Rails 2.1.0

  • Rubyonrails Ruby On Rails 0.10.0

  • Rubyonrails Ruby On Rails 0.10.1

  • Rubyonrails Ruby On Rails 0.11.0

  • Rubyonrails Ruby On Rails 0.11.1

  • Rubyonrails Ruby On Rails 0.12.0

  • Rubyonrails Ruby On Rails 0.12.1

  • Rubyonrails Ruby On Rails 0.13.0

  • Rubyonrails Ruby On Rails 0.13.1

  • Rubyonrails Ruby On Rails 0.14.1

  • Rubyonrails Ruby On Rails 0.14.2

  • Rubyonrails Ruby On Rails 0.14.3

  • Rubyonrails Ruby On Rails 0.14.4

  • Rubyonrails Ruby On Rails 0.5.0

  • Rubyonrails Ruby On Rails 0.5.5

  • Rubyonrails Ruby On Rails 0.5.6

  • Rubyonrails Ruby On Rails 0.5.7

  • Rubyonrails Ruby On Rails 0.6.0

  • Rubyonrails Ruby On Rails 0.6.5

  • Rubyonrails Ruby On Rails 0.7.0

  • Rubyonrails Ruby On Rails 0.8.0

  • Rubyonrails Ruby On Rails 0.8.5

  • Rubyonrails Ruby On Rails 0.9.0

  • Rubyonrails Ruby On Rails 0.9.1

  • Rubyonrails Ruby On Rails 0.9.2

  • Rubyonrails Ruby On Rails 0.9.3

  • Rubyonrails Ruby On Rails 0.9.4

  • Rubyonrails Ruby On Rails 0.9.4.1

  • Rubyonrails Ruby On Rails 1.0.0

  • Rubyonrails Ruby On Rails 1.1.0

  • Rubyonrails Ruby On Rails 1.1.1

  • Rubyonrails Ruby On Rails 1.1.2

  • Rubyonrails Ruby On Rails 1.1.3

  • Rubyonrails Ruby On Rails 1.1.4

  • Rubyonrails Ruby On Rails 1.1.5

  • Rubyonrails Ruby On Rails 1.1.6

  • Rubyonrails Ruby On Rails 1.2.0

  • Rubyonrails Ruby On Rails 1.2.1

  • Rubyonrails Ruby On Rails 1.2.2

  • Rubyonrails Ruby On Rails 1.2.3

  • Rubyonrails Ruby On Rails 1.2.4

  • Rubyonrails Ruby On Rails 1.2.5

  • Rubyonrails Ruby On Rails 1.2.6

  • Rubyonrails Ruby On Rails 1.9.5

  • Rubyonrails Ruby On Rails 2.0.0

  • Rubyonrails Ruby On Rails 2.0.1

  • Rubyonrails Ruby On Rails 2.0.2

  • Rubyonrails Ruby On Rails 2.0.4

  • Rubyonrails Ruby On Rails 2.1

  • Rubyonrails Ruby On Rails 2.1.0


References

CONFIRM - http://rails.lighthouseapp.com/projects/8994/tickets/964

CONFIRM - http://rails.lighthouseapp.com/projects/8994/tickets/288

XF - rubyonrails-activerecord-sql-injection(45109)

VUPEN - ADV-2008-2562

SECTRACK - 1020871

BID - 31176

MISC - http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/

MLIST - [oss-security] 20080915 Re: CVE request: Ruby on Rails <2.1.1 :limit and :offset SQL injection

MLIST - [oss-security] 20080913 CVE request: Ruby on Rails <2.1.1 :limit and :offset SQL injection

SECUNIA - 31910

SECUNIA - 31909

SECUNIA - 31875

SUSE - SUSE-SR:2008:027

CONFIRM - http://gist.github.com/8946

MISC - http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1


Last Updated: 27 May 2016 10:54:50