Steffen Joeris
2008-Oct-01 12:48 UTC
[Secure-testing-team] Bug#500791: CVE-2008-4094: multiple sql injection vulnerabilities
Package: rails
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for rails.
CVE-2008-4094[0]:
| Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1
| allow remote attackers to execute arbitrary SQL commands via the (1)
| :limit and (2) :offset parameters, related to ActiveRecord,
| ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4094
http://security-tracker.debian.net/tracker/CVE-2008-4094