PT-2011-4189 · Ruby+1 · Ruby On Rails+1

Tenderlove

Publicado

2011-08-29

Atualizado

2019-08-08

CVE-2011-2930

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 2.3.13 Ruby on Rails versions 3.0.x prior to 3.0.10 Ruby on Rails versions 3.1.x prior to 3.1.0.rc5

Description The issue allows remote attackers to execute arbitrary SQL commands via a crafted column name, due to multiple SQL injection vulnerabilities in the quote table name method in the ActiveRecord adapters.

Recommendations For versions prior to 2.3.13, update to version 2.3.13 or later. For versions 3.0.x prior to 3.0.10, update to version 3.0.10 or later. For versions 3.1.x prior to 3.1.0.rc5, update to version 3.1.0.rc5 or later.

Exploit

Correção

RCE

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2011-2930

DSA-2301-1

GHSA-H6W6-XMQV-7Q78

Produtos afetados

Ruby On Rails

Suse

PT-2011-4189 · Ruby+1 · Ruby On Rails+1

CVE-2011-2930

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 19