gsd-2023-22794
Vulnerability from gsd
Modified
2023-01-18 00:00
Details
There is a possible vulnerability in ActiveRecord related to the sanitization of comments. This vulnerability has been assigned the CVE identifier CVE-2023-22794. Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.6.1, 6.1.7.1, 7.0.4.1 # Impact Previously the implementation of escaping for comments was insufficient for If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment. In most cases these interfaces won’t be used with user input and users should avoid doing so. Example vulnerable code: ``` Post.where(id: 1).annotate("#{params[:user_input]}") Post.where(id: 1).optimizer_hints("#{params[:user_input]}") ``` Example vulnerable QueryLogs configuration (the default configuration is not vulnerable): ``` config.active_record.query_log_tags = [ { something: -> { <some value including user input> } } ] ``` All users running an affected release should either upgrade or use one of the workarounds immediately. # Workarounds Avoid passing user input to annotate and avoid using QueryLogs configuration which can include user input.
Aliases
Aliases
CVE-2023-22794


To clipboard 

{
  "GSD": {
    "alias": "CVE-2023-22794",
    "id": "GSD-2023-22794",
    "references": [
      "https://www.suse.com/security/cve/CVE-2023-22794.html",
      "https://www.debian.org/security/2023/dsa-5372"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "activerecord",
            "purl": "pkg:gem/activerecord"
          }
        }
      ],
      "aliases": [
        "CVE-2023-22794",
        "GHSA-hq7p-j377-6v63"
      ],
      "details": "There is a possible vulnerability in ActiveRecord related to the\nsanitization of comments. This vulnerability has been assigned the CVE\nidentifier CVE-2023-22794.\n\nVersions Affected: \u003e= 6.0.0\nNot affected: \u003c 6.0.0\nFixed Versions: 6.0.6.1, 6.1.7.1, 7.0.4.1\n\n# Impact\n\nPreviously the implementation of escaping for comments was insufficient for\n\nIf malicious user input is passed to either the annotate query method, the\noptimizer_hints query method, or through the QueryLogs interface which\nautomatically adds annotations, it may be sent to the database with\ninsufficient sanitization and be able to inject SQL outside of the comment.\n\nIn most cases these interfaces won\u2019t be used with user input and users\nshould avoid doing so.\n\nExample vulnerable code:\n```\nPost.where(id: 1).annotate(\"#{params[:user_input]}\")\n\nPost.where(id: 1).optimizer_hints(\"#{params[:user_input]}\")\n```\n\nExample vulnerable QueryLogs configuration (the default configuration is not\nvulnerable):\n```\nconfig.active_record.query_log_tags = [\n  {\n    something: -\u003e { \u003csome value including user input\u003e }\n  }\n]\n```\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Workarounds\n\nAvoid passing user input to annotate and avoid using QueryLogs configuration\nwhich can include user input.",
      "id": "GSD-2023-22794",
      "modified": "2023-01-18T00:00:00.000Z",
      "published": "2023-01-18T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/rails/rails/releases/tag/v7.0.4.1"
        },
        {
          "type": "WEB",
          "url": "https://github.com/rails/rails/commit/d7aba06953f9fa789c411676b941d20df8ef73de"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 8.8,
          "type": "CVSS_V3"
        }
      ],
      "summary": "SQL Injection Vulnerability via ActiveRecord comments"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2023-22794",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/rails/rails",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "6.0.6.1, 6.1.7.1, 7.0.4.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability in ActiveRecord \u003c6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "SQL Injection (CWE-89)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117",
            "refsource": "MISC",
            "url": "https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117"
          },
          {
            "name": "DSA-5372",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2023/dsa-5372"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20240202-0008/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20240202-0008/"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2023-22794",
      "cvss_v3": 8.8,
      "date": "2023-01-18",
      "description": "There is a possible vulnerability in ActiveRecord related to the\nsanitization of comments. This vulnerability has been assigned the CVE\nidentifier CVE-2023-22794.\n\nVersions Affected: \u003e= 6.0.0\nNot affected: \u003c 6.0.0\nFixed Versions: 6.0.6.1, 6.1.7.1, 7.0.4.1\n\n# Impact\n\nPreviously the implementation of escaping for comments was insufficient for\n\nIf malicious user input is passed to either the annotate query method, the\noptimizer_hints query method, or through the QueryLogs interface which\nautomatically adds annotations, it may be sent to the database with\ninsufficient sanitization and be able to inject SQL outside of the comment.\n\nIn most cases these interfaces won\u2019t be used with user input and users\nshould avoid doing so.\n\nExample vulnerable code:\n```\nPost.where(id: 1).annotate(\"#{params[:user_input]}\")\n\nPost.where(id: 1).optimizer_hints(\"#{params[:user_input]}\")\n```\n\nExample vulnerable QueryLogs configuration (the default configuration is not\nvulnerable):\n```\nconfig.active_record.query_log_tags = [\n  {\n    something: -\u003e { \u003csome value including user input\u003e }\n  }\n]\n```\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Workarounds\n\nAvoid passing user input to annotate and avoid using QueryLogs configuration\nwhich can include user input.",
      "gem": "activerecord",
      "ghsa": "hq7p-j377-6v63",
      "patched_versions": [
        "~\u003e 6.0.6, \u003e= 6.0.6.1",
        "~\u003e 6.1.7, \u003e= 6.1.7.1",
        "\u003e= 7.0.4.1"
      ],
      "related": {
        "url": [
          "https://github.com/rails/rails/commit/d7aba06953f9fa789c411676b941d20df8ef73de"
        ]
      },
      "title": "SQL Injection Vulnerability via ActiveRecord comments",
      "unaffected_versions": [
        "\u003c 6.0.0"
      ],
      "url": "https://github.com/rails/rails/releases/tag/v7.0.4.1"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=6.0.0 \u003c6.0.6.1||\u003e=6.1.0 \u003c6.1.7.1||\u003e=7.0.0 \u003c7.0.4.1",
          "affected_versions": "All versions starting from 6.0.0 before 6.0.6.1, all versions starting from 6.1.0 before 6.1.7.1, all versions starting from 7.0.0 before 7.0.4.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-89",
            "CWE-937"
          ],
          "date": "2023-03-14",
          "description": "A vulnerability in ActiveRecord \u003c6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment.",
          "fixed_versions": [
            "6.0.6.1",
            "6.1.7.1",
            "7.0.4.1"
          ],
          "identifier": "CVE-2023-22794",
          "identifiers": [
            "CVE-2023-22794",
            "GHSA-hq7p-j377-6v63",
            "GMS-2023-60"
          ],
          "not_impacted": "All versions before 6.0.0, all versions starting from 6.0.6.1 before 6.1.0, all versions starting from 6.1.7.1 before 7.0.0, all versions starting from 7.0.4.1",
          "package_slug": "gem/activerecord",
          "pubdate": "2023-02-09",
          "solution": "Upgrade to versions 6.0.6.1, 6.1.7.1, 7.0.4.1 or above.",
          "title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-22794",
            "https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117",
            "https://github.com/rails/rails/releases/tag/v7.0.4.1",
            "https://github.com/advisories/GHSA-hq7p-j377-6v63"
          ],
          "uuid": "2dc2795e-86a7-46b3-89fa-4ace44065796"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions starting from 6.0.0 before 6.0.6.1, all versions starting from 6.1.0 before 6.1.7.1, all versions starting from 7.0.0 before 7.0.4.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-01-18",
          "description": "There is a possible vulnerability in ActiveRecord related to the sanitization of comments. Previously the implementation of escaping for comments was insufficient. If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment. In most cases these interfaces won\u2019t be used with user input and users should avoid doing so.",
          "fixed_versions": [
            "6.0.6.1",
            "6.1.7.1",
            "7.0.4.1"
          ],
          "identifier": "GMS-2023-60",
          "identifiers": [
            "GHSA-hq7p-j377-6v63",
            "GMS-2023-60",
            "CVE-2023-22794"
          ],
          "not_impacted": "All versions before 6.0.0, all versions starting from 6.0.6.1 before 6.1.0, all versions starting from 6.1.7.1 before 7.0.0, all versions starting from 7.0.4.1",
          "package_slug": "gem/activerecord",
          "pubdate": "2023-01-18",
          "solution": "Upgrade to versions 6.0.6.1, 6.1.7.1, 7.0.4.1 or above.",
          "title": "Duplicate of ./gem/activerecord/CVE-2023-22794.yml",
          "urls": [
            "https://github.com/rails/rails/releases/tag/v7.0.4.1",
            "https://github.com/advisories/GHSA-hq7p-j377-6v63"
          ],
          "uuid": "157645fb-43ba-4338-b5c3-64cd1159cd62"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:activerecord_project:activerecord:*:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "3B0AF7DB-45EB-4310-8409-90350D1AFF02",
                    "versionEndExcluding": "6.0.6.1",
                    "versionStartIncluding": "6.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:activerecord_project:activerecord:*:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "0D94371F-6A6F-4D40-97A1-3B08C75E3AFB",
                    "versionEndExcluding": "6.1.7.1",
                    "versionStartIncluding": "6.1.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:activerecord_project:activerecord:*:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "EDE689E3-57CB-4121-9EE3-1857079325E6",
                    "versionEndExcluding": "7.0.4.1",
                    "versionStartIncluding": "7.0.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "A vulnerability in ActiveRecord \u003c6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment."
          }
        ],
        "id": "CVE-2023-22794",
        "lastModified": "2024-02-02T14:15:53.270",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-02-09T20:15:11.353",
        "references": [
          {
            "source": "support@hackerone.com",
            "tags": [
              "Exploit",
              "Patch",
              "Vendor Advisory"
            ],
            "url": "https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117"
          },
          {
            "source": "support@hackerone.com",
            "url": "https://security.netapp.com/advisory/ntap-20240202-0008/"
          },
          {
            "source": "support@hackerone.com",
            "url": "https://www.debian.org/security/2023/dsa-5372"
          }
        ],
        "sourceIdentifier": "support@hackerone.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-89"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-89"
              }
            ],
            "source": "support@hackerone.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.