CVE-2019-1010191 (marginalia): SQL injection vulnerability via Marginalia::Comment

SQL injection vulnerability via Marginalia::Comment

Published: July 26, 2019

SECURITY IDENTIFIERS

CVE: CVE-2019-1010191 (NVD)
GHSA: GHSA-hrj5-qp7x-rpg6
Vendor Advisory: https://github.com/basecamp/marginalia/pull/73

GEM

marginalia

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

>= 1.6

DESCRIPTION

The 'marginalia' gem is affected by a SQL Injection vulnerability. All SQL queries are affected when a user controller argument is added as a component.

This affects users that add a component that is user controller, for instance a parameter or a header.

The issue is resolved in version 1.6.

RubySec