Vulnerability-Lookup

CVE-2011-2930 (GCVE-0-2011-2930)

Vulnerability from cvelistv5 – Published: 2011-08-29 18:00 – Updated: 2024-08-06 23:15

Summary

Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

GSD-2011-2930

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2011-2930

Aliases

CVE-2011-2930

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2011-2930",
    "description": "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.",
    "id": "GSD-2011-2930",
    "references": [
      "https://www.suse.com/security/cve/CVE-2011-2930.html",
      "https://www.debian.org/security/2011/dsa-2301"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2011-2930"
      ],
      "details": "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.",
      "id": "GSD-2011-2930",
      "modified": "2023-12-13T01:19:07.259578Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2011-2930",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[oss-security] 20110817 CVE request: ruby on rails flaws (4)",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
          },
          {
            "name": "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85",
            "refsource": "CONFIRM",
            "url": "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85"
          },
          {
            "name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
          },
          {
            "name": "FEDORA-2011-11386",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
          },
          {
            "name": "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
          },
          {
            "name": "DSA-2301",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2011/dsa-2301"
          },
          {
            "name": "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
          },
          {
            "name": "[rubyonrails-security] 20110816 SQL Injection Vulnerability in quote_table_name",
            "refsource": "MLIST",
            "url": "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source\u0026output=gplain"
          },
          {
            "name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=731438",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=731438"
          },
          {
            "name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
          },
          {
            "name": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6",
            "refsource": "CONFIRM",
            "url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.0.0 \u003c2.3.13||\u003e=3.0.0 \u003c3.0.10",
          "affected_versions": "All versions starting from 2.0.0 before 2.3.13, all versions starting from 3.0.0 before 3.0.10",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-89",
            "CWE-937"
          ],
          "date": "2021-09-14",
          "description": "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.",
          "fixed_versions": [
            "2.3.13",
            "3.0.10"
          ],
          "identifier": "CVE-2011-2930",
          "identifiers": [
            "GHSA-h6w6-xmqv-7q78",
            "CVE-2011-2930"
          ],
          "not_impacted": "All versions before 2.0.0, all versions starting from 2.3.13 before 3.0.0, all versions starting from 3.0.10",
          "package_slug": "gem/activerecord",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to versions 2.3.13, 3.0.10 or above.",
          "title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2011-2930",
            "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85",
            "https://bugzilla.redhat.com/show_bug.cgi?id=731438",
            "https://github.com/advisories/GHSA-h6w6-xmqv-7q78",
            "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source\u0026output=gplain",
            "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html",
            "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6",
            "http://www.debian.org/security/2011/dsa-2301",
            "http://www.openwall.com/lists/oss-security/2011/08/17/1",
            "http://www.openwall.com/lists/oss-security/2011/08/19/11",
            "http://www.openwall.com/lists/oss-security/2011/08/20/1",
            "http://www.openwall.com/lists/oss-security/2011/08/22/13",
            "http://www.openwall.com/lists/oss-security/2011/08/22/14",
            "http://www.openwall.com/lists/oss-security/2011/08/22/5"
          ],
          "uuid": "16f1b19e-13dd-4430-966a-6696b803289f"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2011-2930"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
            },
            {
              "name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
              "refsource": "MLIST",
              "tags": [
                "Patch"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=731438",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=731438"
            },
            {
              "name": "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)",
              "refsource": "MLIST",
              "tags": [
                "Patch"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
            },
            {
              "name": "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85"
            },
            {
              "name": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
            },
            {
              "name": "[rubyonrails-security] 20110816 SQL Injection Vulnerability in quote_table_name",
              "refsource": "MLIST",
              "tags": [
                "Patch"
              ],
              "url": "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source\u0026output=gplain"
            },
            {
              "name": "[oss-security] 20110817 CVE request: ruby on rails flaws (4)",
              "refsource": "MLIST",
              "tags": [
                "Patch"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
            },
            {
              "name": "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)",
              "refsource": "MLIST",
              "tags": [
                "Patch"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
            },
            {
              "name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
              "refsource": "MLIST",
              "tags": [
                "Patch"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
            },
            {
              "name": "FEDORA-2011-11386",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
            },
            {
              "name": "DSA-2301",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2011/dsa-2301"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2019-08-08T15:42Z",
      "publishedDate": "2011-08-29T18:55Z"
    }
  }
}

CERTA-2011-AVI-459

Vulnerability from certfr_avis - Published: 2011-08-18 - Updated: 2011-09-16

De multiples vulnérabilités présentes dans le produit Ruby on Rails ont été corrigées. Elles permettent le contournement de la politique de sécurité, l'injection de code SQL et l'injection de code HTML dans une réponse.

Description

De multiples vulnérabilités présentes dans le produit Ruby on Rails ont été corrigées. Ces vulnérabilités permettent notamment :

le rendu de vues de données normalement inaccessibles à l'utilisateur ;
l'injection de code dans les requêtes SQL ;
l'injection de code javascript dans les réponses HTML ;
l'envoi de chaînes Unicode malformées dans les réponses HTML.

Solution

Se référer aux bulletins de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Note : une mise à jour pour la version 3.1 RC est également disponible.

None

Impacted products

	Vendor	Product	Description
	Ruby on Rails	Ruby on Rails	Ruby on Rails 3.0.x.
	Ruby on Rails	Ruby on Rails	Ruby on Rails 2.3.x ;

References

Title

Publication Time

FKIE_CVE-2011-2930

Vulnerability from fkie_nvd - Published: 2011-08-29 18:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain	Patch
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
secalert@redhat.com	http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6	Patch
secalert@redhat.com	http://www.debian.org/security/2011/dsa-2301
secalert@redhat.com	http://www.openwall.com/lists/oss-security/2011/08/17/1	Patch
secalert@redhat.com	http://www.openwall.com/lists/oss-security/2011/08/19/11	Patch
secalert@redhat.com	http://www.openwall.com/lists/oss-security/2011/08/20/1	Patch
secalert@redhat.com	http://www.openwall.com/lists/oss-security/2011/08/22/13	Patch
secalert@redhat.com	http://www.openwall.com/lists/oss-security/2011/08/22/14
secalert@redhat.com	http://www.openwall.com/lists/oss-security/2011/08/22/5	Patch
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=731438	Patch
secalert@redhat.com	https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85	Patch
af854a3a-2127-422b-91ae-364da2661108	http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
af854a3a-2127-422b-91ae-364da2661108	http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2011/dsa-2301
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2011/08/17/1	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2011/08/19/11	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2011/08/20/1	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2011/08/22/13	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2011/08/22/14
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2011/08/22/5	Patch
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=731438	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85	Patch

Impacted products

Vendor	Product	Version
rubyonrails	rails	2.0.0
rubyonrails	rails	2.0.0
rubyonrails	rails	2.0.0
rubyonrails	rails	2.0.1
rubyonrails	rails	2.0.2
rubyonrails	rails	2.0.4
rubyonrails	rails	2.1.0
rubyonrails	rails	2.1.1
rubyonrails	rails	2.1.2
rubyonrails	rails	2.2.0
rubyonrails	rails	2.2.1
rubyonrails	rails	2.2.2
rubyonrails	rails	2.3.2
rubyonrails	rails	2.3.3
rubyonrails	rails	2.3.4
rubyonrails	rails	2.3.9
rubyonrails	rails	2.3.10
rubyonrails	rails	2.3.11
rubyonrails	rails	2.3.12
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.0
rubyonrails	rails	3.0.1
rubyonrails	rails	3.0.1
rubyonrails	rails	3.0.2
rubyonrails	rails	3.0.2
rubyonrails	rails	3.0.3
rubyonrails	rails	3.0.4
rubyonrails	rails	3.0.5
rubyonrails	rails	3.0.5
rubyonrails	rails	3.0.6
rubyonrails	rails	3.0.6
rubyonrails	rails	3.0.6
rubyonrails	rails	3.0.7
rubyonrails	rails	3.0.7
rubyonrails	rails	3.0.7
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.8
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.9
rubyonrails	rails	3.0.10
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	rails	3.1.0
rubyonrails	ruby_on_rails	3.0.4

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
              "matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
              "matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
              "matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en el m\u00e9todo quote_table_name en el adaptador ActiveRecord de activerecord/lib/active_record/connection_adapters/ in Ruby on Rails antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5, permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s de un nombre de columna modificado."
    }
  ],
  "id": "CVE-2011-2930",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2011-08-29T18:55:01.457",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source\u0026output=gplain"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2011/dsa-2301"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=731438"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source\u0026output=gplain"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2011/dsa-2301"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=731438"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-H6W6-XMQV-7Q78

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2025-11-03 13:56

Summary

activerecord vulnerable to SQL Injection

Details

Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activerecord"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.3.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activerecord"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0.beta"
            },
            {
              "fixed": "3.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activerecord"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0.beta1"
            },
            {
              "fixed": "3.1.0.rc5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-2930"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:39:17Z",
    "nvd_published_at": "2011-08-29T18:55:01Z",
    "severity": "HIGH"
  },
  "details": "Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.",
  "id": "GHSA-h6w6-xmqv-7q78",
  "modified": "2025-11-03T13:56:05Z",
  "published": "2017-10-24T18:33:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2930"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=731438"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-2930.yml"
    },
    {
      "type": "WEB",
      "url": "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source\u0026output=gplain"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
    },
    {
      "type": "WEB",
      "url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2011/dsa-2301"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "activerecord vulnerable to SQL Injection"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2011-2930 (GCVE-0-2011-2930)

GSD-2011-2930

CERTA-2011-AVI-459

Description

Solution

FKIE_CVE-2011-2930

GHSA-H6W6-XMQV-7Q78

Tags

Sightings

Nomenclature