PT-2011-4189 · Ruby+1 · Ruby On Rails+1

Tenderlove

Published

2011-08-29

Updated

2019-08-08

CVE-2011-2930

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 2.3.13 Ruby on Rails versions 3.0.x prior to 3.0.10 Ruby on Rails versions 3.1.x prior to 3.1.0.rc5

Description The issue allows remote attackers to execute arbitrary SQL commands via a crafted column name, due to multiple SQL injection vulnerabilities in the quote table name method in the ActiveRecord adapters.

Recommendations For versions prior to 2.3.13, update to version 2.3.13 or later. For versions 3.0.x prior to 3.0.10, update to version 3.0.10 or later. For versions 3.1.x prior to 3.1.0.rc5, update to version 3.1.0.rc5 or later.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2011-2930

DSA-2301-1

GHSA-H6W6-XMQV-7Q78

Affected Products

Ruby On Rails

Suse

PT-2011-4189 · Ruby+1 · Ruby On Rails+1

CVE-2011-2930

Weakness Enumeration

Related Identifiers

Affected Products

References · 19