CVE-2008-4094SQL Injection in Project Activerecord

CWE-89SQL Injection6 documents5 sources
Severity
7.5HIGHNVD
EPSS
3.1%
top 13.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rubyonrails RailsActiverecord Project ActiverecordRubyonrails Ruby ON Rails
Timeline
PublishedSep 30
Latest updateOct 24

Description

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

Debianrubyonrails/rails< 2.1.0-1+3
NVDrubyonrails/rails38 versions+37

Patches

Patch: rails.lighthouseapp.comPatch: rails.lighthouseapp.comPatch: rails.lighthouseapp.com

🔴Vulnerability Details

4
OSV
Rails ActiveRecord gem vulnerable to SQL injection2017-10-24
GHSA
Rails ActiveRecord gem vulnerable to SQL injection2017-10-24
CVEList
CVE-2008-4094: Multiple SQL injection vulnerabilities in Ruby on Rails before 22008-09-30
OSV
CVE-2008-4094: Multiple SQL injection vulnerabilities in Ruby on Rails before 22008-09-30

📋Vendor Advisories

1
Debian
CVE-2008-4094: rails - Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remot...2008
CVE-2008-4094 — SQL Injection in Project Activerecord | cvebase