High severityNVD Advisory· Published Feb 21, 2011· Updated Jun 16, 2026
CVE-2011-0448
CVE-2011-0448
Description
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | >= 3.0.0, < 3.0.4 | 3.0.4 |
Affected products
14cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
11- groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40adnvdPatchWEB
- weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4nvdPatchWEB
- secunia.com/advisories/43278nvdVendor Advisory
- github.com/advisories/GHSA-jmm9-2p29-vh2wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-0448ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.htmlnvdWEB
- github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.ymlghsaWEB
- web.archive.org/web/20201220214809/http://securitytracker.com/idghsaWEB
- securitytracker.com/idnvd
- www.vupen.com/english/advisories/2011/0877nvd
News mentions
0No linked articles in our index yet.