SQL Injection Affecting activerecord package, versions >= 3.0.0, <=3.0.3

Snyk CVSS

Attack Complexity Low

Threat Intelligence

EPSS 0.32% (71^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-ACTIVERECORD-20282
published 20 Dec 2016
disclosed 8 Feb 2011
credit Eaden McKee

Report a new vulnerability Found a mistake?

Introduced: 8 Feb 2011

CVE-2011-0448 Open this link in a new tab CWE-89 Open this link in a new tab

Overview

activerecord is the Object-Relational Mapping (ORM) that comes out-of-the-box with Rails. It plays the role of Model in the MVC architecture employed by Rails. This allows an attacker to run a specially crafted arguments to execute SQL commands on the host servers database.

References

Ruby on Rails blog
Ruby Security forum
Security Tracker