QwikSec

Security Database

CVE

CWE

Training

CVE-2023-22794

Published: Feb 9, 2023

Modified: Aug 2, 2024

PUBLISHED

Description

A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.

Vendor	Product	Versions
n/a	https://github.com/rails/rails	affected `6.0.6.1, 6.1.7.1, 7.0.4.1`

Weaknesses (CWE)

References

https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117

vendor-advisory

https://security.netapp.com/advisory/ntap-20240202-0008/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.