SB2014072912 - SQL injection in ruby-redmine-activesupport (Alpine package)
Published: July 29, 2014
Security Bulletin ID
SB2014072912
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) SQL injection (CVE-ID: CVE-2014-3482)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=dad2215438e3ff0d93efdc6b8a7c4f03bd9a4292
- https://git.alpinelinux.org/aports/commit/?id=e9cf2371bef95401aee294e176db38d939df2b13
- https://git.alpinelinux.org/aports/commit/?id=8f1d4f8b90e876afed354ad115e6f333f6fe6c10
- https://git.alpinelinux.org/aports/commit/?id=46196d83b03d2c6df93df2176e3c040cdae42271
- https://git.alpinelinux.org/aports/commit/?id=3e195f0bca03c6e02ce38ed55c004c3e449e169c
- https://git.alpinelinux.org/aports/commit/?id=3e30d7fb19ee9c24627e31531136f54556305948
- https://git.alpinelinux.org/aports/commit/?id=98410154a50b746fc1d7a7d4b338d2778c8aa5f9