Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

SQL injection for certain queries with variables #392

Closed
ankane opened this issue Apr 20, 2022 · 0 comments
Closed

SQL injection for certain queries with variables #392

ankane opened this issue Apr 20, 2022 · 0 comments

Comments

@ankane
Copy link
Owner

ankane commented Apr 20, 2022

Blazer queries with variables are vulnerable to SQL injection in certain cases. This vulnerability has been assigned the CVE identifier CVE-2022-29498.

Versions Affected: 2.5.0 and below
Fixed Versions: 2.6.0

Impact

For some queries, specific variable values can modify the query rather than just the variable. This can occur if:

  1. the query's data source uses different escaping than the Rails database OR
  2. the query has a variable inside a string literal

Since Blazer is designed to run arbitrary queries, the impact will typically be low. Users cannot run any queries they could not have already run. However, an attacker could get a user to run a query they would not have normally run. If the data source has write permissions, this could include modifying data in some cases.

Mitigation

All users running an affected release should upgrade when possible.

Blazer now uses parameterized queries or prepared statements for variables for a number of data sources, which mitigates the issue for their queries. Escaping has been fixed for the other data sources, but it's still possible for users to write queries that can't be escaped correctly, like SELECT '{var}'. For this reason, data sources should use credentials with read-only permissions.

Credit

Thanks to Al Chou for reporting the escaping issue.
@ankane ankane closed this as completed Apr 20, 2022
This was referenced Apr 20, 2022
Closed
Merged
jeremyf added a commit to forem/forem that referenced this issue Apr 21, 2022
@jeremyf
Updating Blazer to 2.6.1
cb11d5b 
Prior to this commit, we were seeing the following:

```console
❯ bundle exec bundle-audit check --update
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
  advisories:	562 advisories
  last updated:	2022-04-20 14:56:09 -0700
  commit:	1cca55530261d16f4cd16691c1ebbae86c91c28b
Name: blazer
Version: 2.5.0
CVE: CVE-2022-29498
Criticality: Unknown
URL: ankane/blazer#392
Title: SQL injection for certain queries with variables
Solution: upgrade to >= 2.6.0

Vulnerabilities found!
```

Blocking #17382
jeremyf added a commit to forem/forem that referenced this issue Apr 21, 2022
@jeremyf
Updating Blazer to 2.6.1 (#17390)
8fbc2e8 
Prior to this commit, we were seeing the following:

```console
❯ bundle exec bundle-audit check --update
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
  advisories:	562 advisories
  last updated:	2022-04-20 14:56:09 -0700
  commit:	1cca55530261d16f4cd16691c1ebbae86c91c28b
Name: blazer
Version: 2.5.0
CVE: CVE-2022-29498
Criticality: Unknown
URL: ankane/blazer#392
Title: SQL injection for certain queries with variables
Solution: upgrade to >= 2.6.0

Vulnerabilities found!
```

Blocking #17382
@ankane ankane mentioned this issue May 5, 2022
Closed
@ankane ankane mentioned this issue Aug 3, 2022
Closed
@bnlucas bnlucas mentioned this issue Aug 30, 2022
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ankane