CVE-2023-22794: Understanding the Vulnerability in ActiveRecord that Allows for SQL Injection within Comments

A recent vulnerability, tagged as CVE-2023-22794, was discovered in ActiveRecord, a popular Object Relational Mapping (ORM) library for Ruby on Rails. The vulnerability affects ActiveRecord versions lower than 6..6.1, 6.1.7.1, and 7..4.1 and resides in the insufficient sanitization of comments.

This vulnerability can result in a attacker being able to inject SQL queries outside the comment, potentially causing severe harm to the database. In this article, we will delve into the details of this vulnerability, discuss how it can be exploited, and provide suggestions for addressing it.

The Code Snippet

Take a look at this code snippet that uses the annotate query method and the optimizer_hints query method within ActiveRecord:

# Using annotate
posts = Post.annotate("Including author")
            .includes(:author)

# Using optimizer_hints
users = User.optimizer_hints("NO_INDEX_MERGE(users)")

In addition, the QueryLogs interface that automatically adds annotations

ActiveRecord::QueryLogs.set_context(enabled: true) do
  # Your code here
end

In all three cases, if a malicious user can pass an unsanitized string as input to any of these methods, it could result in an SQL injection attack.

Exploit Details

To exploit this vulnerability, an attacker would need to pass a malicious string as input to either the annotate, the optimizer_hints, or within the QueryLogs context block. Let's see how this can happen.

Suppose we have an application where users can add comments to a post, and these comments can be annotated with data provided by the user. A malicious user could craft a string like this:

"author's info]--; DROP TABLE users; --"

Passing this malicious string to the annotate method, for example, could result in the following SQL query being generated:

SELECT * FROM posts /* Including author's info]--; DROP TABLE users; -- */

This SQL query will be sent directly to the database, and it will inject the destructive DROP TABLE users command, deleting the entire users table.

Original References

The vulnerability was reported by Jonathan Hefner. The details can be reviewed in the official Ruby on Rails GitHub repository and the CVE Mitre entry.

Solutions and Recommendations

It is strongly recommended to update your application to the latest compatible version of ActiveRecord. If you cannot update the entire Rails framework, at least upgrade the ActiveRecord gem to a version higher than 6..6.1, 6.1.7.1 or 7..4.1 depending on your specific Rails version.

In addition to this, always make sure to validate and sanitize user inputs, especially when they are used for database queries or within any other sensitive operations.

We hope this post helps you fully understand the CVE-2023-22794 vulnerability, its exploitation, and methods to address it. By staying informed about vulnerabilities in popular libraries like ActiveRecord, developers can continue to build secure applications that prevent malicious activities.

Timeline

Published on: 02/09/2023 20:15:00 UTC
Last modified on: 03/14/2023 08:15:00 UTC