Uhlaziyo oluchanekileyo kwi-Ruby kwi-Rails framework 7.0.4.1, 6.1.7.1 kunye ne-6.0.6.1 ishicilelwe, apho ubuthathaka obu-6 bulungiswa. Umngcipheko onobungozi kakhulu (CVE-2023-22794) unokukhokelela ekuphunyezweni kwemiyalelo ye-SQL echazwe ngumhlaseli xa usebenzisa idatha yangaphandle kwizimvo eziqhutywe kwi-ActiveRecord. Ingxaki ibangelwa ukungabikho kokuphunyuka okufunekayo kwabalinganiswa abakhethekileyo kumazwana ngaphambi kokuba bagcinwe kwi-DBMS.
Ubuthathaka besibini (i-CVE-2023-22797) ingasetyenziselwa ukuthunyelwa kwamanye amaphepha (vula ukuqondisa kwakhona) xa usebenzisa idatha yangaphandle engaqinisekiswanga kwi-redirect_to handler. Ubuthathaka obu-4 obusele bukhokelela ekukhanyeni kwenkonzo ngenxa yomthwalo ophezulu kwinkqubo (ikakhulukazi ngenxa yokusetyenzwa kwedatha yangaphandle ngokungasebenzi kakuhle kunye nokuchitha ixesha eliqhelekileyo).
umthombo: opennet.ru