High severityNVD Advisory· Published Sep 30, 2008· Updated Jun 16, 2026
CVE-2008-4094
CVE-2008-4094
Description
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | < 2.1.1 | 2.1.1 |
Affected products
52cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*+ 39 more
- cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*range: <=2.1.0
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
30- rails.lighthouseapp.com/projects/8994/tickets/288nvdPatchWEB
- rails.lighthouseapp.com/projects/8994/tickets/964nvdPatchWEB
- blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1nvdExploit
- secunia.com/advisories/31875nvdExploitVendor Advisory
- secunia.com/advisories/31909nvdExploitVendor Advisory
- secunia.com/advisories/31910nvdExploitVendor Advisory
- www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/nvdExploit
- www.vupen.com/english/advisories/2008/2562nvdVendor Advisory
- github.com/advisories/GHSA-xf96-32q2-9rw2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-4094ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.htmlnvdWEB
- www.openwall.com/lists/oss-security/2008/09/13/2nvdWEB
- www.openwall.com/lists/oss-security/2008/09/16/1nvdWEB
- www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameterghsaWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/45109nvdWEB
- github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.ymlghsaWEB
- web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1ghsaWEB
- web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patchghsaWEB
- web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patchghsaWEB
- web.archive.org/web/20081104151751/http://gist.github.com/8946ghsaWEB
- web.archive.org/web/20081113122736/http://secunia.com/advisories/31875ghsaWEB
- web.archive.org/web/20081207211431/http://secunia.com/advisories/31909ghsaWEB
- web.archive.org/web/20081207211436/http://secunia.com/advisories/31910ghsaWEB
- web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562ghsaWEB
- web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176ghsaWEB
- web.archive.org/web/20201207112829/http://www.securitytracker.com/idghsaWEB
- gist.github.com/8946nvd
- www.securityfocus.com/bid/31176nvd
- www.securitytracker.com/idnvd
News mentions
0No linked articles in our index yet.