Sha256: 62d8351cc634893652369da7956aeccae1ac3d8ba67bddeec6ac968a606014be
Contents?: true
Size: 811 Bytes
Versions: 3
Compression:
Stored size: 811 Bytes
Contents
---
gem: mysql-binuuid-rails
cve: 2018-18476
url: https://gist.github.com/viraptor/881276ea61e8d56bac6e28454c79f1e6
title: mysql-binuuid-rails allows SQL Injection by removing default string escaping
date: 2018-10-19
description: |
mysql-binuuid-rails 1.1.0 and earlier allows SQL Injection because it removes
default string escaping for affected database columns. ActiveRecord does not
explicitly escape the Binary data type (Type::Binary::Data) for mysql.
mysql-binuuid-rails uses a data type that is derived from the base Binary
type, except, it doesn’t convert the value to hex. Instead, it assumes the
string value provided is a valid hex string and doesn’t do any checks on it.
patched_versions:
- ">= 1.1.1"
related:
url:
- https://github.com/nedap/mysql-binuuid-rails/pull/18
Version data entries
3 entries across 3 versions & 2 rubygems