CVE-2017-17920
rails Severe
SQL Injection
Discovered 12 months ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘reorder’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘name’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2017-17919
rails Severe
SQL Injection
Discovered 12 months ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘order’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘id desc’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2017-17917
rails Severe
SQL Injection
Discovered 12 months ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘where’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘id’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2017-17916
rails Severe
SQL Injection
Discovered 12 months ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘find_by’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘name’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a