CVE-2023-22794: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

February 9, 2023 (updated February 2, 2024)

A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment.

References

discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117
github.com/advisories/GHSA-hq7p-j377-6v63
github.com/rails/rails/releases/tag/v7.0.4.1
nvd.nist.gov/vuln/detail/CVE-2023-22794

Detect and mitigate CVE-2023-22794 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →