{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-22794", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "dateUpdated": "2024-08-02T10:20:30.748Z", "dateReserved": "2023-01-06T00:00:00", "datePublished": "2023-02-09T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-02-02T14:06:11.892247"}, "descriptions": [{"lang": "en", "value": "A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment."}], "affected": [{"vendor": "n/a", "product": "https://github.com/rails/rails", "versions": [{"version": "6.0.6.1, 6.1.7.1, 7.0.4.1", "status": "affected"}]}], "references": [{"url": "https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117"}, {"name": "DSA-5372", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5372"}, {"url": "https://security.netapp.com/advisory/ntap-20240202-0008/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "SQL Injection (CWE-89)", "cweId": "CWE-89"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:30.748Z"}, "title": "CVE Program Container", "references": [{"url": "https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117", "tags": ["x_transferred"]}, {"name": "DSA-5372", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5372"}, {"url": "https://security.netapp.com/advisory/ntap-20240202-0008/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:activerecord_project:activerecord:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "3B0AF7DB-45EB-4310-8409-90350D1AFF02", "versionEndExcluding": "6.0.6.1", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:activerecord_project:activerecord:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "0D94371F-6A6F-4D40-97A1-3B08C75E3AFB", "versionEndExcluding": "6.1.7.1", "versionStartIncluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:activerecord_project:activerecord:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "EDE689E3-57CB-4121-9EE3-1857079325E6", "versionEndExcluding": "7.0.4.1", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment."}], "id": "CVE-2023-22794", "lastModified": "2024-02-02T14:15:53.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-09T20:15:11.353", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117"}, {"source": "support@hackerone.com", "url": "https://security.netapp.com/advisory/ntap-20240202-0008/"}, {"source": "support@hackerone.com", "url": "https://www.debian.org/security/2023/dsa-5372"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:6818", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "impact": "moderate", "package": "rubygem-activerecord-0:6.1.7.3-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2023-11-08T00:00:00Z"}], "bugzilla": {"description": "rubygem-activerecord: SQL Injection", "id": "2164785", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164785"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-89", "details": ["A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.", "A flaw was found in RubyGem's activerecord gem, which is vulnerable to SQL injection. This flaw allows a remote attacker to send specially-crafted SQL statements to the comments, allowing the attacker to view, add, modify, or delete information in the back-end database."], "name": "CVE-2023-22794", "public_date": "2023-01-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-22794\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-22794\nhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2023-22794.yml"], "threat_severity": "Important", "upstream_fix": "rubygem-activerecord 6.0.6.1, rubygem-activerecord 6.1.7.1, rubygem-activerecord 7.0.4.1"}