CVE-2020-5257 : In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a

In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0.

Published 2020-03-13 21:15:12

Updated 2020-03-18 16:05:25

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2020-5257

Thoughtbot » Administrate » For Ruby
Versions before (<) 0.13.0
cpe:2.3:a:thoughtbot:administrate:*:*:*:*:*:ruby:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-5257

EPSS FAQ

0.19%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-5257

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:N	8.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
7.7	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N	1.3	5.8	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2020-5257

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: nvd@nist.gov (Primary)
CWE-943 Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2020-5257

https://github.com/thoughtbot/administrate/commit/3ab838b83c5f565fba50e0c6f66fe4517f98eed3

Merge pull request from GHSA-2p5p-m353-833w · thoughtbot/administrate@3ab838b · GitHub
Patch;Third Party Advisory
https://github.com/thoughtbot/administrate/security/advisories/GHSA-2p5p-m353-833w

Sort order SQL injection · Advisory · thoughtbot/administrate · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-5257

Products affected by CVE-2020-5257

Exploit prediction scoring system (EPSS) score for CVE-2020-5257

CVSS scores for CVE-2020-5257

CWE ids for CVE-2020-5257

References for CVE-2020-5257