OSVDB-114854 (activerecord-jdbc-adapter): ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection

UNAFFECTED VERSIONS

< 1.2.6

PATCHED VERSIONS

>= 1.2.8

DESCRIPTION

ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the sql.gsub() function in lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

https://github.com/jruby/activerecord-jdbc-adapter/issues/322
https://github.com/jruby/activerecord-jdbc-adapter/blob/master/lib/arjdbc/jdbc/adapter.rb
https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDJDBCADAPTER-20076
https://my.diffend.io/gems/activerecord-jdbc-adapter/1.2.5/1.2.8
http://osvdb.org/show/osvdb/114854

RubySec

OSVDB-114854 (activerecord-jdbc-adapter): ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection

ADVISORIES

GEM

PLATFORM

UNAFFECTED VERSIONS

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories