14 lines
1.5 KiB
JSON
14 lines
1.5 KiB
JSON
{
|
|
"id": "openEuler-SA-2023-1132",
|
|
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1132",
|
|
"title": "An update for rubygem-activerecord is now available for openEuler-22.03-LTS",
|
|
"severity": "Important",
|
|
"description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL.\r\n\r\nSecurity Fix(es):\r\n\r\nA denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.(CVE-2022-44566)\r\n\r\nA vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.(CVE-2023-22794)",
|
|
"cves": [
|
|
{
|
|
"id": "CVE-2023-22794",
|
|
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22794",
|
|
"severity": "Important"
|
|
}
|
|
]
|
|
} |