Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-22794

UNKNOWN
Published 2023-02-09T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-22794. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.

Understanding This Vulnerability

This Common Vulnerabilities and Exposures (CVE) entry provides detailed information about a security vulnerability that has been publicly disclosed. CVEs are standardized identifiers assigned by MITRE Corporation to track and catalog security vulnerabilities across software and hardware products.

The severity rating (UNKNOWN) indicates the potential impact of this vulnerability based on the CVSS (Common Vulnerability Scoring System) framework. Higher severity ratings typically indicate vulnerabilities that could lead to more significant security breaches if exploited. Security teams should prioritize remediation efforts based on severity, exploit availability, and the EPSS (Exploit Prediction Scoring System) score, which predicts the likelihood of exploitation in the wild.

If this vulnerability affects products or systems in your infrastructure, we recommend reviewing the affected products section, checking for available patches or updates from vendors, and implementing recommended workarounds or solutions until a permanent fix is available. Organizations should also monitor security advisories and threat intelligence feeds for updates about active exploitation of this vulnerability.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

References

https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117 (CNA)
https://www.debian.org/security/2023/dsa-5372 (CNA)
https://security.netapp.com/advisory/ntap-20240202-0008/ (CNA)

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

SQL Injection Vulnerability via ActiveRecord comments

GHSA-hq7p-j377-6v63

Advisory Details

There is a possible vulnerability in ActiveRecord related to the sanitization of comments. This vulnerability has been assigned the CVE identifier CVE-2023-22794. Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.6.1, 6.1.7.1, 7.0.4.1 Impact Previously the implementation of escaping for comments was insufficient for If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment. In most cases these interfaces won’t be used with user input and users should avoid doing so. Example vulnerable code: ``` Post.where(id: 1).annotate("#{params[:user_input]}") Post.where(id: 1).optimizer_hints("#{params[:user_input]}") ``` Example vulnerable QueryLogs configuration (the default configuration is not vulnerable): ``` config.active_record.query_log_tags = [ { something: -> { <some value including user input> } } ] ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases The FIXED releases are available at the normal locations. Workarounds Avoid passing user input to annotate and avoid using QueryLogs configuration which can include user input. Patches To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. 6-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.0 series 6-1-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.1 series 7-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 7.0 series Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Affected Packages

RubyGems activerecord
ECOSYSTEM: ≥6.0.0 <6.0.6.1
RubyGems activerecord
ECOSYSTEM: ≥6.1.0 <6.1.7.1
RubyGems activerecord
ECOSYSTEM: ≥7.0.0 <7.0.4.1

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-22794
WEB https://github.com/rails/rails/commit/d7aba06953f9fa789c411676b941d20df8ef73de
WEB https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117
PACKAGE https://github.com/rails/rails
WEB https://github.com/rails/rails/releases/tag/v7.0.4.1
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2023-22794.yml
WEB https://security.netapp.com/advisory/ntap-20240202-0008
WEB https://www.debian.org/security/2023/dsa-5372

Advisory provided by GitHub Security Advisory Database. Published: January 18, 2023, Modified: February 2, 2024

References

https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117
https://www.debian.org/security/2023/dsa-5372
https://security.netapp.com/advisory/ntap-20240202-0008/
Published: 2023-02-09T00:00:00
Last Modified: 2024-08-02T10:20:30.748Z
Copied to clipboard!