Lucene search

RubySecRUBY:CURUPIRA-2015-10053

HistoryJan 15, 2023 - 9:00 p.m.

curupira is vulnerable to SQL injection

2023-01-1521:00:00

RubySec

github.com

curupira

software

vulnerability

version 0.1.3

sql injection

upgrade

patch

vdb-218394

CVSS2

5.2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:S/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

A vulnerability classified as critical has been found in prodigasistemas
curupira up to 0.1.3. Affected is an unknown function of the file
app/controllers/curupira/passwords_controller.rb.
The manipulation leads to sql injection. Upgrading to version 0.1.4 is able
to address this issue. The name of the patch is
93a9a77896bb66c949acb8e64bceafc74bc8c271. It is recommended to upgrade the
affected component. VDB-218394 is the identifier assigned to this
vulnerability.

Affected configurations

Vulners

Node

rubycurupiraRange≤0.1.4

VendorProductVersionCPE
rubycurupira*cpe:2.3:a:ruby:curupira:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	curupira	*	cpe:2.3:a:ruby:curupira::::::::

References

github.com/prodigasistemas/curupira/commit/93a9a77896bb66c949acb8e64bceafc74bc8c271

CVSS2

5.2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:S/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

Related for RUBY:CURUPIRA-2015-10053