Detections
Analytics

CVE-2011-0448

high

Description

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

References

https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474

http://www.vupen.com/english/advisories/2011/0877

http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

http://securitytracker.com/id?1025063

http://secunia.com/advisories/43278

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html

http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain

Details

Source: Mitre, NVD

Published: 2011-02-21

Updated: 2025-04-11

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Severity: High

EPSS

EPSS: 0.00689