Ruby on Rails < 5.1.4 - SQL Injection via 'where' Method 'id' Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2017-17917. PoCs published by matiasarenhard.
AI-analyzed exploit summary This repository demonstrates a SQL injection vulnerability (CVE-2017-17917) in a Rails application by exploiting an unsafe `where` clause in the `ClientsController`. It includes a vulnerable and patched version of the code for educational purposes.
Description
SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
Exploits (1)
This repository demonstrates a SQL injection vulnerability (CVE-2017-17917) in a Rails application by exploiting an unsafe `where` clause in the `ClientsController`. It includes a vulnerable and patched version of the code for educational purposes.
References (1)
Scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H