GLSA 201401-22: Active Record: SQL injection
| Severity: | low |
| Title: | Active Record: SQL injection |
| Date: | 01/21/2014 |
| Bugs: | |
| ID: | 201401-22 |
Synopsis
A vulnerability in Active Record could allow a remote attacker to inject SQL commands.Background
Active Record is a Ruby gem that allows database entries to be manipulated as objects.
Affected packages
| Package | Vulnerable | Unaffected | Architecture(s) |
|---|---|---|---|
| dev-ruby/activerecord | < 2.3.14-r1 | >= 2.3.14-r1 | All supported architectures |
Description
An Active Record method parameter can mistakenly be used as a scope.
Impact
A remote attacker could use specially crafted input to execute arbitrary SQL statements.
Workaround
The vulnerability may be mitigated by converting the input to an expected value. This is accomplished by changing instances of ‘Post.find_by_id(params[:id])’ in code using Active Record to ‘Post.find_by_id(params[:id].to_s)’
Resolution
All Active Record users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/activerecord-2.3.14-r1"
References
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.