Skip to content

Sort order SQL injection in Administrate

High severity GitHub Reviewed Published Mar 13, 2020 in thoughtbot/administrate • Updated May 4, 2023

Package

bundler administrate (RubyGems)

Affected versions

< 0.13.0

Patched versions

0.13.0

Description

In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard,
the direction parameter was not validated before being interpolated into the SQL query.
This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections.

Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication.

This is patched in wersion 0.13.0.

References

@nickcharlton nickcharlton published to thoughtbot/administrate Mar 13, 2020
Reviewed Mar 13, 2020
Published to the GitHub Advisory Database Mar 13, 2020
Last updated May 4, 2023

Severity

High
7.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Weaknesses

CVE ID

CVE-2020-5257

GHSA ID

GHSA-2p5p-m353-833w

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.