SB2014072919 - SQL injection in ruby-activemodel (Alpine package)
Published: July 29, 2014
Security Bulletin ID
SB2014072919
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) SQL injection (CVE-ID: CVE-2014-3483)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=dad2215438e3ff0d93efdc6b8a7c4f03bd9a4292
- https://git.alpinelinux.org/aports/commit/?id=e9cf2371bef95401aee294e176db38d939df2b13
- https://git.alpinelinux.org/aports/commit/?id=ac58030d7cebab0dc5e5ae114e8121a83f598b6d
- https://git.alpinelinux.org/aports/commit/?id=b91843753d8aa36735a12179e7b854a9328a0153
- https://git.alpinelinux.org/aports/commit/?id=cdab621ae7d9ec5b79d4bcacd946599e10038b24
- https://git.alpinelinux.org/aports/commit/?id=a3d8c0508bd6a149dc65b0c9370db8c5dd727b6c
- https://git.alpinelinux.org/aports/commit/?id=e1b6e3bd8f1acafb2aa9393fb2bab483380ce50e