CVE-2017-17919

Опубликовано: 29 дек. 2017

Источник: nvd

CVSS3: 8.1

CVSS2: 6.8

EPSS Низкий

Описание

SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input

Ссылки

https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
Exploit
Third Party Advisory
https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*

Версия до 5.1.4 (включая)

EPSS

Процентиль: 68%

0.00582

Низкий

8.1 High

CVSS3

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

CVE-2017-17919

CVSS3: 8.1

ubuntu

около 8 лет назад

CVE-2017-17919

CVSS3: 8.1

debian

около 8 лет назад

SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1 ...

GHSA-rjh4-8mqr-rvr8

CVSS3: 8.1

github

больше 3 лет назад

** DISPUTED ** SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

EPSS

Процентиль: 68%

0.00582

Низкий

8.1 High

CVSS3

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-89