CVE-2011-0448

N/A Unknown

Published: February 21, 2011 Modified: April 29, 2026

Description

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain

Source: cve@mitre.org

Patch

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html

Source: cve@mitre.org

http://secunia.com/advisories/43278

Source: cve@mitre.org

Vendor Advisory

http://securitytracker.com/id?1025063

Source: cve@mitre.org

http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

Source: cve@mitre.org

Patch

http://www.vupen.com/english/advisories/2011/0877

Source: cve@mitre.org

https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474

Source: cve@mitre.org

http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain