Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-4298: Adding protection against SQL injection · ndlib/sipity@d1704c7

A vulnerability classified as critical has been found in Hesburgh Libraries of Notre Dame Sipity. This affects the function SearchCriteriaForWorksParameter of the file app/parameters/sipity/parameters/search_criteria_for_works_parameter.rb. The manipulation leads to sql injection. Upgrading to version 2021.8 is able to address this issue. The name of the patch is d1704c7363b899ffce65be03a796a0ee5fdbfbdc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217179.

CVE
#sql#vulnerability#ruby

Permalink

Browse files

Adding protection against SQL injection

Prior to this commit, the SearchCriteriaForWorksParameter class was to optimistic in the additional_attributes it received. This was “okay” in that these attributes were passed from within the application (and not from user input).

However, I wanted to tighten that up further which is why I added the changes to fetch the attributes from a map.

And even with all of this, [brakeman][1] identified this as a weak chance for SQL injection. So I also added a config/brakeman.yml file to skip over this file. (alas I can’t skip over a singular violation)

[1]:https://rubygems.org/gems/brakeman

  • Loading branch information

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907