CVE-2017-17920: SQL Injection
First published: Fri Dec 29 2017(Updated: )
** DISPUTED ** SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rubyonrails Ruby On Rails | <=5.1.4 | |
| <=5.1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this SQL injection vulnerability?
The vulnerability ID for this SQL injection vulnerability is CVE-2017-17920.
What is the severity of CVE-2017-17920?
The severity of CVE-2017-17920 is high with a severity value of 8.1.
What is the affected software for CVE-2017-17920?
The affected software is Ruby on Rails version 5.1.4 and earlier.
How can remote attackers exploit CVE-2017-17920?
Remote attackers can exploit CVE-2017-17920 by executing arbitrary SQL commands through the 'name' parameter in the 'reorder' method.
Is there a disputed status for CVE-2017-17920?
Yes, there is a disputed status for CVE-2017-17920.
- collector/nvd-index
- agent/first-publish-date
- agent/type
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/status
- agent/softwarecombine
- agent/description
- agent/tags
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- status/disputed
- vendor/rubyonrails
- canonical/rubyonrails ruby on rails
- version/rubyonrails ruby on rails/5.1.4