High severityNVD Advisory· Published Sep 30, 2008· Updated Apr 23, 2026
CVE-2008-4094
CVE-2008-4094
Description
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | < 2.1.1 | 2.1.1 |
Affected products
51cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*+ 39 more
- cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*range: <=2.1.0
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*
Patches
1ef0ea782b1f5Added SQL escaping for :limit and :offset [#288 state:closed] (Aaron Bedra, Steven Bristol, Jonathan Wiess)
2 files changed · +27 −2
activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb+7 −2 modified@@ -106,11 +106,16 @@ def add_limit!(sql, options) # SELECT * FROM suppliers LIMIT 10 OFFSET 50 def add_limit_offset!(sql, options) if limit = options[:limit] - sql << " LIMIT #{limit}" + sql << " LIMIT #{sanitize_limit(limit)}" if offset = options[:offset] - sql << " OFFSET #{offset}" + sql << " OFFSET #{offset.to_i}" end end + sql + end + + def sanitize_limit(limit) + limit.to_s[/,/] ? limit.split(',').map{ |i| i.to_i }.join(',') : limit.to_i end # Appends a locking clause to an SQL statement.
activerecord/test/cases/adapter_test.rb+20 −0 modified@@ -104,4 +104,24 @@ def test_reset_table_with_non_integer_pk end end + def test_add_limit_offset_should_sanitize_sql_injection_for_limit_without_comas + sql_inject = "1 select * from schema" + assert_equal " LIMIT 1", @connection.add_limit_offset!("", :limit=>sql_inject) + if current_adapter?(:MysqlAdapter) + assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7) + else + assert_equal " LIMIT 1 OFFSET 7", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7) + end + end + + def test_add_limit_offset_should_sanitize_sql_injection_for_limit_with_comas + sql_inject = "1, 7 procedure help()" + if current_adapter?(:MysqlAdapter) + assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject) + assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7) + else + assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject) + assert_equal " LIMIT 1,7 OFFSET 7", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7) + end + end end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
30- rails.lighthouseapp.com/projects/8994/tickets/288nvdPatchWEB
- rails.lighthouseapp.com/projects/8994/tickets/964nvdPatchWEB
- blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1nvdExploit
- secunia.com/advisories/31875nvdExploitVendor Advisory
- secunia.com/advisories/31909nvdExploitVendor Advisory
- secunia.com/advisories/31910nvdExploitVendor Advisory
- www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/nvdExploit
- www.vupen.com/english/advisories/2008/2562nvdVendor Advisory
- github.com/advisories/GHSA-xf96-32q2-9rw2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-4094ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.htmlnvdWEB
- www.openwall.com/lists/oss-security/2008/09/13/2nvdWEB
- www.openwall.com/lists/oss-security/2008/09/16/1nvdWEB
- www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameterghsaWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/45109nvdWEB
- github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.ymlghsaWEB
- web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1ghsaWEB
- web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patchghsaWEB
- web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patchghsaWEB
- web.archive.org/web/20081104151751/http://gist.github.com/8946ghsaWEB
- web.archive.org/web/20081113122736/http://secunia.com/advisories/31875ghsaWEB
- web.archive.org/web/20081207211431/http://secunia.com/advisories/31909ghsaWEB
- web.archive.org/web/20081207211436/http://secunia.com/advisories/31910ghsaWEB
- web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562ghsaWEB
- web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176ghsaWEB
- web.archive.org/web/20201207112829/http://www.securitytracker.com/idghsaWEB
- gist.github.com/8946nvd
- www.securityfocus.com/bid/31176nvd
- www.securitytracker.com/idnvd
News mentions
0No linked articles in our index yet.