CVE-2023-22794: RubyGems ActiveRecord SQL Injection Vulnerability

by do son · January 19, 2023

On January 18, a SQL injection vulnerability was disclosed that impacts some specific versions of the Ruby on Rails (a.k.a. Rails) platform. According to an advisory, the SQLi flaw was discovered within Rails’ ActiveRecord.

Active Record insulates you from the need to use SQL in most cases. It will perform queries on the database for you and is compatible with most database systems, including MySQL, MariaDB, PostgreSQL, and SQLite. Regardless of which database system you’re using, the Active Record method format will always be the same.

RubyGems ActiveRecord is vulnerable to SQL injection. Tracked as CVE-2023-22794, the flaw related to the sanitization of comments. An attacker could send specially-crafted SQL statements to the system, which could allow the attacker to read or modify any data on the underlying database.

“There is a possible vulnerability in ActiveRecord related to the sanitization of comments. This vulnerability has been assigned the CVE identifier CVE-2023-22794,” the advisory explains.

“If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment,” they add.

The security vulnerability affected ActiveRecord 6.0.x prior to versions 6.0.6.1, 6.1.x prior to versions 6.1.7.1, and 7.0.0 prior to version 7.0.4.1, and was fixed by Rails in versions 6.0.6.1, 6.1.7.1, 7.0.4.1. Other vulnerabilities were also fixed in these versions including:

Organizations working with Rails should upgrade to remain on the safe side. Upgraded versions of Rails are available here. To aid users who aren’t able to upgrade immediately Rails has provided patches for the two supported release series. They are in git-am format and consist of a single changeset.