OSVDB-95376 (activerecord-oracle_enhanced-adapter): Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection

ADVISORIES

OSVDB-95376
Vendor Advisory

GEM

PATCHED VERSIONS

>= 1.1.8

DESCRIPTION

Oracle "enhanced" ActiveRecord Gem for Ruby contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the program not properly sanitizing user-supplied input related to the :limit and :offset functions. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

https://www.versioneye.com/Ruby/activerecord-oracle_enhanced-adapter/1.1.6
https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDORACLEENHANCEDADAPTER-20006
http://osvdb.org/show/osvdb/95376

RubySec

OSVDB-95376 (activerecord-oracle_enhanced-adapter): Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection

ADVISORIES

GEM

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories