RubySec

Providing security resources for the Ruby community

CVE-2020-7981 (geocoder): Geocoder gem for Ruby contains possible SQL injection vulnerability

ADVISORIES

GEM

geocoder

SEVERITY

CVSS v3: 9.8

CVSS v2: 7.5

PATCHED VERSIONS

  • >= 1.6.1

DESCRIPTION

sql.rb in Geocoder allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data.