GHSA-2p5p-m353-833w

Source
https://github.com/advisories/GHSA-2p5p-m353-833w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-2p5p-m353-833w/GHSA-2p5p-m353-833w.json
Aliases
Published
2020-03-13T21:05:44Z
Modified
2023-11-08T04:03:53.213280Z
Details

In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections.

Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication.

This is patched in wersion 0.13.0.

References

Affected packages

RubyGems / administrate

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
0.13.0

Affected versions

0.*

0.0.2
0.0.3
0.0.4
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.2.0.rc1
0.2.0
0.2.1
0.2.2
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.8.1
0.9.0
0.10.0
0.11.0
0.12.0