RubySec

Providing security resources for the Ruby community

OSVDB-114854 (activerecord-jdbc-adapter): ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection

ADVISORIES

  • OSVDB-114854

GEM

activerecord-jdbc-adapter

PLATFORM

jruby

UNAFFECTED VERSIONS

  • < 1.2.6

PATCHED VERSIONS

  • >= 1.2.8

DESCRIPTION

ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the sql.gsub() function in lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.