Homepage
About Snyk

SQL Injection Affecting activerecord package, versions >=6.0.0, <6.0.6.1 >=6.1.0, <6.1.7.1 >=7.0.0, <7.0.4.1

0.0
high

Snyk CVSS

    Attack Complexity Low
    Scope Changed

    Threat Intelligence

    EPSS 0.05% (17th percentile)
Expand this section
NVD
8.8 high
Expand this section
Red Hat
8.3 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIVERECORD-3237236
  • published 19 Jan 2023
  • disclosed 18 Jan 2023
  • credit kurt-r2c
Report a new vulnerability Found a mistake?

Introduced: 18 Jan 2023

CVE-2023-22794 Open this link in a new tab
CWE-89 Open this link in a new tab

How to fix?

Upgrade activerecord to version 6.0.6.1, 6.1.7.1, 7.0.4.1 or higher.

Overview

activerecord is a library for databases on Rails.

Affected versions of this package are vulnerable to SQL Injection due to improper sanitization of comments passed via annotate, optimzer_hints methods, or via the QueryLogs interface, which adds annotations automatically. Exploiting this behavior allows a malicious user to inject SQL outside of the comment.

Workaround

Avoid passing user input to annotate and avoid using QueryLogs configuration, which can include user input.