OESA-2023-1133
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1133
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2023-1133.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2023-1133
- Upstream
- Published
- 2023-03-01T11:04:59Z
- Modified
- 2025-08-12T05:15:48.031524Z
- Summary
- rubygem-activerecord security update
- Details
-
Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL.
Security Fix(es):
A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.(CVE-2022-44566)
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the
annotatequery method, theoptimizer_hintsquery method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.(CVE-2023-22794) - Database specific
{ "severity": "High" }- References