Framwork: Ruby on Rails
Affected Version: <= 5.1.4
Published: December 27th, 2017
Reported by: Kay
Ruby on Rails is a web application development framework written in the Ruby language. Several issues were discovered in Active Record Query Interface, which may cause arbitrary SQL Injection. SQL statements can be injected into Rails appliactions with setting
in database.yml by some query methods like
SQL statements, generated by these query methods when they accept string parameters, can be separated by semicolon.
It is confirmed that these vulnerabilities may affect applications built on MySQL. What’s worse, it is verified that if a Rails application built on Alibaba Cloud RDS for MySQL, an attack will also succeed without setting flags: [MULTI_STATEMENTS] in Rails application.
To summary, it is possible if all of these conditions are true:
A Rails application is built on Alibaba Cloud RDS for MySQL or it has been set
flags: [MULTI_STATEMENTS]in database.yml
passing string parameters to query methods like
CVE-2017-17916 SQL injection in
CVE-2017-17917 SQL injection in
CVE-2017-17919 SQL injection in
CVE-2017-17920 SQL injection in