Bug 2164785 (CVE-2023-22794)

Summary: CVE-2023-22794 rubygem-activerecord: SQL Injection
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbuckingham, bcourt, ehelms, jsherril, lzap, mhulan, nmoumoul, orabin, pcreech, rchan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-activerecord 6.0.6.1, rubygem-activerecord 6.1.7.1, rubygem-activerecord 7.0.4.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in RubyGem's activerecord gem, which is vulnerable to SQL injection. This flaw allows a remote attacker to send specially-crafted SQL statements to the comments, allowing the attacker to view, add, modify, or delete information in the back-end database.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2164787, 2164786    
Bug Blocks: 2162605    

Description ybuenos 2023-01-26 13:57:56 UTC 
If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment.
Comment 1 ybuenos 2023-01-26 14:00:15 UTC 
Created rubygem-activerecord tracking bugs for this issue:

Affects: fedora-all [bug 2164786]