Sha256: 49564dcc5a691ce58ad019f92ff81a6ac10ecb95d7cbd9ef55c6a04e499acd86
Contents?: true
Size: 850 Bytes
Versions: 1
Compression:
Stored size: 850 Bytes
Contents
---
gem: administrate
cve: 2020-5257
ghsa: 2p5p-m353-833w
title: Sort order SQL injection via `direction` parameter in administrate
date: 2020-03-14
url: https://github.com/advisories/GHSA-2p5p-m353-833w
description: |
In Administrate (rubygem) before version 0.13.0, when sorting by attributes
on a dashboard, the direction parameter was not validated before being
interpolated into the SQL query.
This could present a SQL injection if the attacker were able to modify the
direction parameter and bypass ActiveRecord SQL protections.
Whilst this does have a high-impact, to exploit this you need access to the
Administrate dashboards, which should generally be behind authentication.
patched_versions:
- ">= 0.13.0"
related:
url:
- https://github.com/thoughtbot/administrate/commit/3ab838b83c5f565fba50e0c6f66fe4517f98eed3
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| bundler-audit-0.7.0.1 | data/ruby-advisory-db/gems/administrate/CVE-2020-5257.yml |