CVE-2017-17917 — SQL Injection in Rails

CWE-89 — SQL Injection6 documents5 sources

Severity

8.1HIGHNVD

EPSS

1.8%

top 17.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails

Timeline

PublishedDec 29

Latest updateMay 14

Description

SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

▶NVDrubyonrails/rails5.1.4

🔴Vulnerability Details

GHSA

GHSA-vqpc-h5g8-fhrw: ** DISPUTED ** SQL injection vulnerability in the 'where' method in Ruby on Rails 5↗2022-05-14

▶

OSV

CVE-2017-17917: SQL injection vulnerability in the 'where' method in Ruby on Rails 5↗2017-12-29

▶

CVEList

CVE-2017-17917: SQL injection vulnerability in the 'where' method in Ruby on Rails 5↗2017-12-29

▶

OSV

CVE-2017-17917: ** DISPUTED ** SQL injection vulnerability in the 'where' method in Ruby on Rails 5↗2017-12-29

▶

📋Vendor Advisories

Debian

CVE-2017-17917: rails - SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and ear...↗2017

▶