SQL Injection Affecting mysql-binuuid-rails package, versions <1.1.1


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.3% (70th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-MYSQLBINUUIDRAILS-72549
  • published 31 Oct 2018
  • disclosed 19 Oct 2018
  • credit Stan Pitucha, Geoff Evason, Emmanuel Joubaud

How to fix?

Upgrade mysql-binuuid-rails to version 1.1.1 or higher.

Overview

mysql-binuuid-rails is a Store UUIDs in binary MySQL database columns.

Affected versions of this package are vulnerable to SQL Injection. It used a data type that is derived from the base Binary type, except, it did not convert the value to hex. Instead, it assumed the string value provided is a valid hex string without conducting any checks on it.