Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-wz1m-798r-8yez
Vulnerability ID VCID-wz1m-798r-8yez
Aliases CVE-2008-4094
GHSA-xf96-32q2-9rw2
Summary Rails ActiveRecord gem vulnerable to SQL injection Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) `:limit` and (2) `:offset` parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
generic_textual HIGH http://rails.lighthouseapp.com/projects/8994/tickets/288
generic_textual HIGH http://rails.lighthouseapp.com/projects/8994/tickets/964
epss 0.03119 https://api.first.org/data/v1/epss?cve=CVE-2008-4094
generic_textual HIGH https://exchange.xforce.ibmcloud.com/vulnerabilities/45109
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xf96-32q2-9rw2
generic_textual HIGH https://github.com/rails/rails
generic_textual HIGH https://github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.yml
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2008-4094
generic_textual HIGH https://web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
generic_textual HIGH https://web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patch
generic_textual HIGH https://web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patch
generic_textual HIGH https://web.archive.org/web/20081104151751/http://gist.github.com/8946
generic_textual HIGH https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875
generic_textual HIGH https://web.archive.org/web/20081207211431/http://secunia.com/advisories/31909
generic_textual HIGH https://web.archive.org/web/20081207211436/http://secunia.com/advisories/31910
generic_textual HIGH https://web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562
generic_textual HIGH https://web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176
generic_textual HIGH https://web.archive.org/web/20201207112829/http://www.securitytracker.com/id?1020871
generic_textual HIGH http://www.openwall.com/lists/oss-security/2008/09/13/2
generic_textual HIGH http://www.openwall.com/lists/oss-security/2008/09/16/1
generic_textual HIGH http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter
Reference id Reference type URL
http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
http://gist.github.com/8946
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
http://rails.lighthouseapp.com/projects/8994/tickets/288
http://rails.lighthouseapp.com/projects/8994/tickets/964
https://api.first.org/data/v1/epss?cve=CVE-2008-4094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4094
http://secunia.com/advisories/31875
http://secunia.com/advisories/31909
http://secunia.com/advisories/31910
https://exchange.xforce.ibmcloud.com/vulnerabilities/45109
https://github.com/rails/rails
https://github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.yml
https://nvd.nist.gov/vuln/detail/CVE-2008-4094
https://web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
https://web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patch
https://web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patch
https://web.archive.org/web/20081104151751/http://gist.github.com/8946
https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875
https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875/
https://web.archive.org/web/20081207211431/http://secunia.com/advisories/31909
https://web.archive.org/web/20081207211436/http://secunia.com/advisories/31910
https://web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562
https://web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176
https://web.archive.org/web/20201207112829/http://www.securitytracker.com/id?1020871
http://www.openwall.com/lists/oss-security/2008/09/13/2
http://www.openwall.com/lists/oss-security/2008/09/16/1
http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter
http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
http://www.securityfocus.com/bid/31176
http://www.securitytracker.com/id?1020871
http://www.vupen.com/english/advisories/2008/2562
500791 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500791
GHSA-xf96-32q2-9rw2 https://github.com/advisories/GHSA-xf96-32q2-9rw2
GLSA-200912-02 https://security.gentoo.org/glsa/200912-02
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.87063
EPSS Score 0.03119
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:57:00.568614+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-xf96-32q2-9rw2/GHSA-xf96-32q2-9rw2.json 38.6.0