CVE-2023-22794
SQL Injection vulnerability in activerecord (RubyGems)
What is CVE-2023-22794 About?
This vulnerability in ActiveRecord allows for SQL Injection due to insufficient sanitization of comments when user input is passed to specific query methods or the QueryLogs interface. Attackers can inject SQL outside of the comment, potentially leading to unauthorized data access or manipulation. Exploitation is relatively easy if an application uses the affected interfaces with unsanitized user input.
Affected Software
- activerecord
- >=7.0.0, <7.0.4.1
- >=6.1.0, <6.1.7.1
- >=6.0.0, <6.0.6.1
Technical Details
The vulnerability stems from inadequate escaping of user-provided comments in ActiveRecord versions >= 6.0.0. When malicious user input is supplied to methods like annotate, optimizer_hints, or through the QueryLogs interface (if configured to include user input), the sanitize_as_sql_comment function fails to sufficiently sanitize this input. This allows SQL injection payloads to break out of the comment context and execute arbitrary SQL queries directly against the database. The core mechanism is the failure to properly escape special characters within the comment string, leading to the injection of SQL commands.
What is the Impact of CVE-2023-22794?
Successful exploitation may allow attackers to execute arbitrary SQL commands, bypass security controls, and gain unauthorized access to or modification of sensitive database information.
What is the Exploitability of CVE-2023-22794?
Exploitation of this vulnerability requires the application to pass untrusted user input directly into ActiveRecord's annotate or optimizer_hints query methods, or to configure the QueryLogs interface to include user input. The complexity is low if these specific conditions are met, as a simple string manipulation can lead to injection. No authentication is strictly required if the vulnerable endpoint is publicly accessible, but if the vulnerable operation is behind authentication, then an authenticated user would be needed. This is typically a remote exploit. The primary risk factor is developers inadvertently using user input in these ActiveRecord functions without proper sanitization, as the documentation advises against this.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22794?
Available Upgrade Options
- activerecord
- >=6.0.0, <6.0.6.1 → Upgrade to 6.0.6.1
- activerecord
- >=6.1.0, <6.1.7.1 → Upgrade to 6.1.7.1
- activerecord
- >=7.0.0, <7.0.4.1 → Upgrade to 7.0.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails/releases/tag/v7.0.4.1
- https://github.com/rails/rails/commit/d7aba06953f9fa789c411676b941d20df8ef73de
- https://osv.dev/vulnerability/GHSA-hq7p-j377-6v63
- https://security.netapp.com/advisory/ntap-20240202-0008/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2023-22794.yml
- https://nvd.nist.gov/vuln/detail/CVE-2023-22794
- https://www.debian.org/security/2023/dsa-5372
- https://www.debian.org/security/2023/dsa-5372
- https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117
- https://github.com/rails/rails
What are Similar Vulnerabilities to CVE-2023-22794?
Similar Vulnerabilities: CVE-2021-22927 , CVE-2021-22928 , CVE-2021-39187 , CVE-2020-8164 , CVE-2020-8163
