Skip to content
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.

False positive CVEs reported for Ruby on Rails version 7.0.3.1 component activerecord #325

Open
arudinskis opened this issue Sep 2, 2022 · 0 comments
Open

False positive CVEs reported for Ruby on Rails version 7.0.3.1 component activerecord #325

arudinskis opened this issue Sep 2, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@arudinskis
Copy link

Vulnerability URL

- https://ossindex.sonatype.org/vulnerability/CVE-2017-17916
- https://ossindex.sonatype.org/vulnerability/CVE-2017-17917

Component URL

- https://ossindex.sonatype.org/component/pkg:gem/activerecord

Description

  • CVE-2017-17916 (NVD): SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.
  • CVE-2017-17917 (NVD): SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

In Dependency Track this component CPE cpe:2.3:a:activerecord:activerecord:7.0.3.1:*:*:*:*:*:*:* clearly defines component name and version. Both vulnerabilities are related with Rails < 5.1.4 and do not apply to this component.

image
@arudinskis arudinskis added the bug Something isn't working label Sep 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arudinskis