RubySec

Providing security resources for the Ruby community

CVE-2019-1010191 (marginalia): SQL injection vulnerability via Marginalia::Comment

ADVISORIES

GEM

marginalia

SEVERITY

CVSS v3: 9.8

PATCHED VERSIONS

  • >= 1.6

DESCRIPTION

The ‘marginalia’ gem is affected by a SQL Injection vulnerability. All SQL queries are affected when a user controller argument is added as a component.

This affects users that add a component that is user controller, for instance a parameter or a header.

The issue is resolved in version 1.6.