arekk uke finder.rb sql injection

Vulnerability

The vulnerability resides in the lib/uke/finder.rb file of the arekk/uke Ruby gem. The methods by_news, by_location, and by_frq_range construct SQL queries by interpolating user-supplied latitude and longitude values using conn.quote_string, which is insufficient for preventing SQL injection. All versions prior to commit 52fd3b2d0bc16227ef57b7b98a3658bb67c1833f are affected [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests that include malicious latitude or longitude parameters. No authentication is required. The attacker supplies values containing SQL metacharacters, which are then directly embedded into SQL statements without proper sanitization, allowing arbitrary SQL execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized disclosure of sensitive data, modification or deletion of records, and potentially full compromise of the database server. The vulnerability is rated critical due to the ease of exploitation and the severity of potential outcomes.

Mitigation

The fix is provided in commit 52fd3b2d0bc16227ef57b7b98a3658bb67c1833f, which replaces conn.quote_string with conn.quote for proper escaping of coordinate values [1]. Users should apply this patch or update to a version that includes it. No workarounds are documented.