CVE-2023-22794

UNKNOWN 0.0

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.

CWE	CWE-89
Vendor	n/a
Product	https://github.com/rails/rails
Published	Feb 9, 2023
Last Updated	Aug 2, 2024

Stay Ahead of the Next One

Get instant alerts for n/a https://github.com/rails/rails

Be the first to know when new unknown vulnerabilities affecting n/a https://github.com/rails/rails are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

n/a / https://github.com/rails/rails

6.0.6.1, 6.1.7.1, 7.0.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

discuss.rubyonrails.org: https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117 debian.org: https://www.debian.org/security/2023/dsa-5372 security.netapp.com: https://security.netapp.com/advisory/ntap-20240202-0008/