Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-F590160F3272A226B5AA93620E9E0594Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
71.9%
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.
| CPE | Name | Operator | Version |
|---|---|---|---|
| gem/activerecord | ge | 2.0.0 | |
| gem/activerecord | lt | 2.3.13 | |
| gem/activerecord | ge | 3.0.0 | |
| gem/activerecord | lt | 3.0.10 |
References
groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain
lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
www.debian.org/security/2011/dsa-2301
www.openwall.com/lists/oss-security/2011/08/17/1
www.openwall.com/lists/oss-security/2011/08/19/11
www.openwall.com/lists/oss-security/2011/08/20/1
www.openwall.com/lists/oss-security/2011/08/22/13
www.openwall.com/lists/oss-security/2011/08/22/14
www.openwall.com/lists/oss-security/2011/08/22/5
bugzilla.redhat.com/show_bug.cgi?id=731438
github.com/advisories/GHSA-h6w6-xmqv-7q78
github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85
nvd.nist.gov/vuln/detail/CVE-2011-2930
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
71.9%