Vulnerability-Lookup

CVE-2008-4094 (GCVE-0-2008-4094)

Vulnerability from cvelistv5 – Published: 2008-09-30 17:00 – Updated: 2024-08-07 10:00

Summary

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://gist.github.com/8946	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
	http://www.openwall.com/lists/oss-security/2008/09/13/2	mailing-listx_refsource_MLIST
	http://rails.lighthouseapp.com/projects/8994/tick…	x_refsource_CONFIRM
	http://rails.lighthouseapp.com/projects/8994/tick…	x_refsource_CONFIRM
	http://secunia.com/advisories/31875	third-party-advisoryx_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://secunia.com/advisories/31910	third-party-advisoryx_refsource_SECUNIA
	http://blog.innerewut.de/2008/6/16/why-you-should…	x_refsource_MISC
	http://www.securitytracker.com/id?1020871	vdb-entryx_refsource_SECTRACK
	http://www.rorsecurity.info/2008/09/08/sql-inject…	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2008/09/16/1	mailing-listx_refsource_MLIST
	http://www.securityfocus.com/bid/31176	vdb-entryx_refsource_BID
	http://secunia.com/advisories/31909	third-party-advisoryx_refsource_SECUNIA
	http://www.vupen.com/english/advisories/2008/2562	vdb-entryx_refsource_VUPEN

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T10:00:42.864Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://gist.github.com/8946"
          },
          {
            "name": "rubyonrails-activerecord-sql-injection(45109)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
          },
          {
            "name": "[oss-security] 20080913 CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
          },
          {
            "name": "31875",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/31875"
          },
          {
            "name": "SUSE-SR:2008:027",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
          },
          {
            "name": "31910",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/31910"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
          },
          {
            "name": "1020871",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1020871"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"
          },
          {
            "name": "[oss-security] 20080915 Re: CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
          },
          {
            "name": "31176",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/31176"
          },
          {
            "name": "31909",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/31909"
          },
          {
            "name": "ADV-2008-2562",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2008/2562"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2008-09-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-07T12:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://gist.github.com/8946"
        },
        {
          "name": "rubyonrails-activerecord-sql-injection(45109)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
        },
        {
          "name": "[oss-security] 20080913 CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
        },
        {
          "name": "31875",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/31875"
        },
        {
          "name": "SUSE-SR:2008:027",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
        },
        {
          "name": "31910",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/31910"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
        },
        {
          "name": "1020871",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1020871"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"
        },
        {
          "name": "[oss-security] 20080915 Re: CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
        },
        {
          "name": "31176",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/31176"
        },
        {
          "name": "31909",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/31909"
        },
        {
          "name": "ADV-2008-2562",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2008/2562"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-4094",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://gist.github.com/8946",
              "refsource": "CONFIRM",
              "url": "http://gist.github.com/8946"
            },
            {
              "name": "rubyonrails-activerecord-sql-injection(45109)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
            },
            {
              "name": "[oss-security] 20080913 CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
            },
            {
              "name": "http://rails.lighthouseapp.com/projects/8994/tickets/964",
              "refsource": "CONFIRM",
              "url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
            },
            {
              "name": "http://rails.lighthouseapp.com/projects/8994/tickets/288",
              "refsource": "CONFIRM",
              "url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
            },
            {
              "name": "31875",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/31875"
            },
            {
              "name": "SUSE-SR:2008:027",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
            },
            {
              "name": "31910",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/31910"
            },
            {
              "name": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1",
              "refsource": "MISC",
              "url": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
            },
            {
              "name": "1020871",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1020871"
            },
            {
              "name": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/",
              "refsource": "MISC",
              "url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"
            },
            {
              "name": "[oss-security] 20080915 Re: CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
            },
            {
              "name": "31176",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/31176"
            },
            {
              "name": "31909",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/31909"
            },
            {
              "name": "ADV-2008-2562",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2008/2562"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2008-4094",
    "datePublished": "2008-09-30T17:00:00.000Z",
    "dateReserved": "2008-09-15T00:00:00.000Z",
    "dateUpdated": "2024-08-07T10:00:42.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

FKIE_CVE-2008-4094

Vulnerability from fkie_nvd - Published: 2008-09-30 17:22 - Updated: 2025-04-09 00:30

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1	Exploit
cve@mitre.org	http://gist.github.com/8946
cve@mitre.org	http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
cve@mitre.org	http://rails.lighthouseapp.com/projects/8994/tickets/288	Patch
cve@mitre.org	http://rails.lighthouseapp.com/projects/8994/tickets/964	Patch
cve@mitre.org	http://secunia.com/advisories/31875	Exploit, Vendor Advisory
cve@mitre.org	http://secunia.com/advisories/31909	Exploit, Vendor Advisory
cve@mitre.org	http://secunia.com/advisories/31910	Exploit, Vendor Advisory
cve@mitre.org	http://www.openwall.com/lists/oss-security/2008/09/13/2
cve@mitre.org	http://www.openwall.com/lists/oss-security/2008/09/16/1
cve@mitre.org	http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/	Exploit
cve@mitre.org	http://www.securityfocus.com/bid/31176
cve@mitre.org	http://www.securitytracker.com/id?1020871
cve@mitre.org	http://www.vupen.com/english/advisories/2008/2562	Vendor Advisory
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/45109
af854a3a-2127-422b-91ae-364da2661108	http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://gist.github.com/8946
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
af854a3a-2127-422b-91ae-364da2661108	http://rails.lighthouseapp.com/projects/8994/tickets/288	Patch
af854a3a-2127-422b-91ae-364da2661108	http://rails.lighthouseapp.com/projects/8994/tickets/964	Patch
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/31875	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/31909	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/31910	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2008/09/13/2
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2008/09/16/1
af854a3a-2127-422b-91ae-364da2661108	http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/31176
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1020871
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2008/2562	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/45109

Impacted products

Vendor	Product	Version
rubyonrails	rails	0.9.1
rubyonrails	rails	0.9.2
rubyonrails	rails	0.9.3
rubyonrails	rails	0.9.4
rubyonrails	rails	0.9.4.1
rubyonrails	rails	0.10.0
rubyonrails	rails	0.10.1
rubyonrails	rails	0.11.0
rubyonrails	rails	0.11.1
rubyonrails	rails	0.12.0
rubyonrails	rails	0.12.1
rubyonrails	rails	0.13.0
rubyonrails	rails	0.13.1
rubyonrails	rails	0.14.1
rubyonrails	rails	0.14.2
rubyonrails	rails	0.14.3
rubyonrails	rails	0.14.4
rubyonrails	rails	1.0.0
rubyonrails	rails	1.1.0
rubyonrails	rails	1.1.1
rubyonrails	rails	1.1.2
rubyonrails	rails	1.1.3
rubyonrails	rails	1.1.4
rubyonrails	rails	1.1.5
rubyonrails	rails	1.1.6
rubyonrails	rails	1.2.0
rubyonrails	rails	1.2.1
rubyonrails	rails	1.2.2
rubyonrails	rails	1.2.3
rubyonrails	rails	1.2.4
rubyonrails	rails	1.2.5
rubyonrails	rails	1.2.6
rubyonrails	rails	1.9.5
rubyonrails	rails	2.0.0
rubyonrails	rails	2.0.0
rubyonrails	rails	2.0.0
rubyonrails	rails	2.0.1
rubyonrails	rails	2.0.2
rubyonrails	rails	2.0.4
rubyonrails	rails	2.1.0
rubyonrails	ruby_on_rails	*
rubyonrails	ruby_on_rails	0.5.0
rubyonrails	ruby_on_rails	0.5.5
rubyonrails	ruby_on_rails	0.5.6
rubyonrails	ruby_on_rails	0.5.7
rubyonrails	ruby_on_rails	0.6.0
rubyonrails	ruby_on_rails	0.6.5
rubyonrails	ruby_on_rails	0.7.0
rubyonrails	ruby_on_rails	0.8.0
rubyonrails	ruby_on_rails	0.8.5
rubyonrails	ruby_on_rails	0.9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9CE42D86-A8FE-493F-9AB6-4E032E9294FF",
              "versionEndIncluding": "2.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer."
    },
    {
      "lang": "es",
      "value": "\"M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en Ruby on Rails anterior a versi\u00f3n 2.1.1, permiten a los atacantes remotos ejecutar comandos SQL arbitrarios por medio de los par\u00e1metros (1): limit y (2): offset, relacionados con ActiveRecord, ActiveSupport, ActiveResource, ActionPack y ActionMailer."
    }
  ],
  "id": "CVE-2008-4094",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2008-09-30T17:22:09.147",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://gist.github.com/8946"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31875"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31909"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31910"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/31176"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id?1020871"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2008/2562"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://gist.github.com/8946"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31875"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31909"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31910"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/31176"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1020871"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2008/2562"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-XF96-32Q2-9RW2

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-05-26 16:40

Summary

Rails ActiveRecord gem vulnerable to SQL injection

Details

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activerecord"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2008-4094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:04Z",
    "nvd_published_at": "2008-09-30T17:22:09Z",
    "severity": "HIGH"
  },
  "details": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) `:limit` and (2) `:offset` parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.",
  "id": "GHSA-xf96-32q2-9rw2",
  "modified": "2023-05-26T16:40:08Z",
  "published": "2017-10-24T18:33:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4094"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.yml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patch"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patch"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20081104151751/http://gist.github.com/8946"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20081207211431/http://secunia.com/advisories/31909"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20081207211436/http://secunia.com/advisories/31910"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201207112829/http://www.securitytracker.com/id?1020871"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
    },
    {
      "type": "WEB",
      "url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
    },
    {
      "type": "WEB",
      "url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Rails ActiveRecord gem vulnerable to SQL injection"
}

GSD-2008-4094

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2008-4094

Aliases

CVE-2008-4094

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2008-4094",
    "description": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.",
    "id": "GSD-2008-4094",
    "references": [
      "https://www.suse.com/security/cve/CVE-2008-4094.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2008-4094"
      ],
      "details": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.",
      "id": "GSD-2008-4094",
      "modified": "2023-12-13T01:22:59.643515Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2008-4094",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://gist.github.com/8946",
            "refsource": "CONFIRM",
            "url": "http://gist.github.com/8946"
          },
          {
            "name": "rubyonrails-activerecord-sql-injection(45109)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
          },
          {
            "name": "[oss-security] 20080913 CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
          },
          {
            "name": "http://rails.lighthouseapp.com/projects/8994/tickets/964",
            "refsource": "CONFIRM",
            "url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
          },
          {
            "name": "http://rails.lighthouseapp.com/projects/8994/tickets/288",
            "refsource": "CONFIRM",
            "url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
          },
          {
            "name": "31875",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/31875"
          },
          {
            "name": "SUSE-SR:2008:027",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
          },
          {
            "name": "31910",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/31910"
          },
          {
            "name": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1",
            "refsource": "MISC",
            "url": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
          },
          {
            "name": "1020871",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1020871"
          },
          {
            "name": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/",
            "refsource": "MISC",
            "url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"
          },
          {
            "name": "[oss-security] 20080915 Re: CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
          },
          {
            "name": "31176",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/31176"
          },
          {
            "name": "31909",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/31909"
          },
          {
            "name": "ADV-2008-2562",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2008/2562"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.1.1",
          "affected_versions": "All versions before 2.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-89",
            "CWE-937"
          ],
          "date": "2023-05-26",
          "description": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.",
          "fixed_versions": [
            "2.1.1"
          ],
          "identifier": "CVE-2008-4094",
          "identifiers": [
            "GHSA-xf96-32q2-9rw2",
            "CVE-2008-4094"
          ],
          "not_impacted": "All versions starting from 2.1.1",
          "package_slug": "gem/activerecord",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to version 2.1.1 or above.",
          "title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2008-4094",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109",
            "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html",
            "http://rails.lighthouseapp.com/projects/8994/tickets/288",
            "http://rails.lighthouseapp.com/projects/8994/tickets/964",
            "http://www.openwall.com/lists/oss-security/2008/09/13/2",
            "http://www.openwall.com/lists/oss-security/2008/09/16/1",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.yml",
            "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter",
            "https://github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645",
            "https://web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1",
            "https://web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patch",
            "https://web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patch",
            "https://web.archive.org/web/20081104151751/http://gist.github.com/8946",
            "https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875/",
            "https://web.archive.org/web/20081207211431/http://secunia.com/advisories/31909",
            "https://web.archive.org/web/20081207211436/http://secunia.com/advisories/31910",
            "https://web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562",
            "https://web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176",
            "https://web.archive.org/web/20201207112829/http://www.securitytracker.com/id?1020871",
            "https://github.com/advisories/GHSA-xf96-32q2-9rw2"
          ],
          "uuid": "038525e8-ae97-4a1b-b195-189822fdef63"
        },
        {
          "affected_range": "\u003c2.1.1",
          "affected_versions": "All versions before 2.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-89",
            "CWE-937"
          ],
          "date": "2021-09-21",
          "description": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.",
          "fixed_versions": [
            "2.1.1"
          ],
          "identifier": "CVE-2008-4094",
          "identifiers": [
            "GHSA-xf96-32q2-9rw2",
            "CVE-2008-4094"
          ],
          "not_impacted": "All versions starting from 2.1.1",
          "package_slug": "gem/rails",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to version 2.1.1 or above.",
          "title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2008-4094",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109",
            "https://github.com/advisories/GHSA-xf96-32q2-9rw2",
            "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1",
            "http://gist.github.com/8946",
            "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html",
            "http://rails.lighthouseapp.com/projects/8994/tickets/288",
            "http://rails.lighthouseapp.com/projects/8994/tickets/964",
            "http://secunia.com/advisories/31875",
            "http://secunia.com/advisories/31909",
            "http://secunia.com/advisories/31910",
            "http://www.openwall.com/lists/oss-security/2008/09/13/2",
            "http://www.openwall.com/lists/oss-security/2008/09/16/1",
            "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/",
            "http://www.securityfocus.com/bid/31176",
            "http://www.securitytracker.com/id?1020871",
            "http://www.vupen.com/english/advisories/2008/2562"
          ],
          "uuid": "af2b60c6-9193-4e5e-972b-31d5176c125e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-4094"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1",
              "refsource": "MISC",
              "tags": [
                "Exploit"
              ],
              "url": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
            },
            {
              "name": "31910",
              "refsource": "SECUNIA",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/31910"
            },
            {
              "name": "http://rails.lighthouseapp.com/projects/8994/tickets/964",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
            },
            {
              "name": "http://rails.lighthouseapp.com/projects/8994/tickets/288",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
            },
            {
              "name": "[oss-security] 20080913 CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
            },
            {
              "name": "31875",
              "refsource": "SECUNIA",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/31875"
            },
            {
              "name": "31909",
              "refsource": "SECUNIA",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/31909"
            },
            {
              "name": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/",
              "refsource": "MISC",
              "tags": [
                "Exploit"
              ],
              "url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"
            },
            {
              "name": "[oss-security] 20080915 Re: CVE request: Ruby on Rails \u003c2.1.1 :limit and :offset SQL injection",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
            },
            {
              "name": "http://gist.github.com/8946",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://gist.github.com/8946"
            },
            {
              "name": "31176",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/31176"
            },
            {
              "name": "SUSE-SR:2008:027",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
            },
            {
              "name": "1020871",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1020871"
            },
            {
              "name": "ADV-2008-2562",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2008/2562"
            },
            {
              "name": "rubyonrails-activerecord-sql-injection(45109)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2019-08-08T14:43Z",
      "publishedDate": "2008-09-30T17:22Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2008-4094 (GCVE-0-2008-4094)

FKIE_CVE-2008-4094

GHSA-XF96-32Q2-9RW2

GSD-2008-4094

Tags

Sightings

Nomenclature