vulnerablecode/vulnerabilities/tests/test_data/ruby-v2/gems/CVE-2020-5257-expected.json at ca39c4487ee5060bc5ce60d533bfb7bf21fbe9f8 · ziadhany/vulnerablecode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
[
  {
    "advisory_id": "gems/CVE-2020-5257",
    "aliases": [
      "CVE-2020-5257",
      "GHSA-2p5p-m353-833w"
    ],
    "summary": "Sort order SQL injection via `direction` parameter in administrate\nIn Administrate (rubygem) before version 0.13.0, when sorting by attributes\non a dashboard, the direction parameter was not validated before being\ninterpolated into the SQL query.\n\nThis could present a SQL injection if the attacker were able to modify the\ndirection parameter and bypass ActiveRecord SQL protections.\n\nWhilst this does have a high-impact, to exploit this you need access to the\nAdministrate dashboards, which should generally be behind authentication.",
    "affected_packages": [
      {
        "package": {
          "type": "gem",
          "namespace": "",
          "name": "administrate",
          "version": "",
          "qualifiers": "",
          "subpath": ""
        },
        "affected_version_range": null,
        "fixed_version_range": "vers:gem/>=0.13.0",
        "introduced_by_commit_patches": [],
        "fixed_by_commit_patches": []
      }
    ],
    "references_v2": [
      {
        "reference_id": "",
        "reference_type": "",
        "url": "https://github.com/advisories/GHSA-2p5p-m353-833w"
      }
    ],
    "patches": [],
    "severities": [
      {
        "system": "cvssv3",
        "value": "7.7",
        "scoring_elements": ""
      }
    ],
    "date_published": "2020-03-14T00:00:00+00:00",
    "weaknesses": [],
    "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2020-5257.yml"
  }
]