PT-2008-5397 · Ruby · Ruby On Rails

Robert Buchholz

Publicado

2008-09-30

Atualizado

2019-08-08

CVE-2008-4094

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 2.1.1

Description The issue allows remote attackers to execute arbitrary SQL commands via the :limit and :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. This is a SQL injection issue that can be exploited by attackers to execute malicious SQL commands.

Recommendations For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the :limit and :offset parameters in affected API endpoints until a patch is available. Avoid using the :limit and :offset parameters in queries that are executed with user-supplied input.

Exploit

Correção

RCE

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2008-4094

GHSA-XF96-32Q2-9RW2

Produtos afetados

Ruby On Rails

PT-2008-5397 · Ruby · Ruby On Rails

CVE-2008-4094

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 33