Geocoder gem for Ruby contains possible SQL injection vulnerability
Published: January 25, 2020
SECURITY IDENTIFIERS
- CVE: CVE-2020-7981 (NVD)
- GHSA: GHSA-864j-6qpp-cmrr
- Vendor Advisory: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23
GEM
SEVERITY
PATCHED VERSIONS
>= 1.6.1
DESCRIPTION
sql.rb in Geocoder allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data.