CVE-2023-22794
Published: 09 February 2023
Summary
CVE-2023-22794 is a high-severity SQL Injection (CWE-89) vulnerability in Activerecord Project Activerecord. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A SQL injection vulnerability exists in ActiveRecord, the object-relational mapping component of Ruby on Rails, affecting versions prior to 6.0.6.1, 6.1.7.1, and 7.0.4.1. Insufficient sanitization of user-supplied input occurs when that input reaches the annotate or optimizer_hints query methods, or when it is processed automatically through the QueryLogs interface, allowing the input to escape SQL comment boundaries and execute arbitrary SQL.
An attacker who can supply crafted values to these interfaces, typically a low-privileged but authenticated user, can inject SQL statements that run with the permissions of the application database connection. Successful exploitation can result in full read, write, or deletion of database contents, corresponding to the reported CVSS 8.8 rating under CWE-89.
Official Rails announcements and downstream advisories, including those from Debian (DSA-5372) and NetApp, direct administrators to upgrade ActiveRecord to the fixed releases. The patches restore proper escaping of comment content so that injected payloads remain confined within SQL comments.
EPSS scores have remained low, moving only from a peak of 0.0687 to a current value of 0.0576 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0490
Vulnerability details
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it…
more
may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.