CVE-2020-7981 (geocoder): Geocoder gem for Ruby contains possible SQL injection vulnerability

January 25th, 2020

ADVISORIES

CVE-2020-7981 (NVD)
GHSA-864j-6qpp-cmrr
Vendor Advisory

GEM

geocoder

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

>= 1.6.1

DESCRIPTION

sql.rb in Geocoder allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data.

https://github.com/alexreisner/geocoder/compare/v1.6.0...v1.6.1
https://github.com/alexreisner/geocoder/commit/dcdc3d8675411edce3965941a2ca7c441ca48613

RubySec

CVE-2020-7981 (geocoder): Geocoder gem for Ruby contains possible SQL injection vulnerability

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories