High severityNVD Advisory· Published Mar 13, 2020· Updated Aug 4, 2024

Sort order SQL injection in Administrate

CVE-2020-5257

Description

In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Administrate gem before 0.13.0 has an SQL injection in the sorting direction parameter, exploitable by authenticated users with dashboard access.

Vulnerability

Overview

CVE-2020-5257 is a SQL injection vulnerability in the Administrate Ruby gem, versions prior to 0.13.0. The flaw resides in the dynamic sorting mechanism used by dashboards. When constructing SQL queries for ordering results, the direction parameter (e.g., asc or desc) was directly interpolated without validation, allowing an attacker to inject arbitrary SQL if they could manipulate this parameter [1][2]. This bypassed ActiveRecord's default SQL protections because the parameter was not sanitized before use.

Exploitation

Conditions

Exploiting this vulnerability requires access to an Administrate dashboard, which is typically behind authentication. However, if an attacker gains access (e.g., through compromised credentials or a separate vulnerability), they can modify the direction parameter to inject SQL commands. The attack does not require special privileges beyond dashboard access, and it can be performed remotely [1][4]. The lack of input validation meant that arbitrary strings could be passed, not just asc or desc [3].

Impact

Successful exploitation could lead to a high-impact SQL injection attack, potentially allowing an attacker to read, modify, or delete database content. This could compromise the confidentiality, integrity, and availability of the application's data, depending on the database permissions [1][4].

Mitigation

The vulnerability is patched in Administrate version 0.13.0. The fix introduces a sanitize_direction method that restricts the direction to only :asc or :desc, silently defaulting to :asc for any other input [3]. Users should upgrade to the latest version immediately. No workarounds are documented, but restricting network access to dashboard endpoints and enforcing strong authentication can reduce risk [1][2].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
administrateRubyGems	< 0.13.0	0.13.0

Affected products

ghsa-coords
pkg:gem/administrate
Range: < 0.13.0
thoughtbot/administratev5
Range: < 0.13.0

Patches

3ab838b83c5f

Merge pull request from GHSA-2p5p-m353-833w

https://github.com/thoughtbot/administrateNick CharltonMar 13, 2020via ghsa

commit

2 files changed · +17 −2

lib/administrate/order.rb+6 −2 modified

@@ -2,7 +2,7 @@ module Administrate
   class Order
     def initialize(attribute = nil, direction = nil)
       @attribute = attribute
-      @direction = direction || :asc
+      @direction = sanitize_direction(direction)
     end
 
     def apply(relation)
@@ -34,6 +34,10 @@ def order_params_for(attr)
 
     attr_reader :attribute
 
+    def sanitize_direction(direction)
+      %w[asc desc].include?(direction.to_s) ? direction.to_sym : :asc
+    end
+
     def reversed_direction_param_for(attr)
       if ordered_by?(attr)
         opposite_direction
@@ -43,7 +47,7 @@ def reversed_direction_param_for(attr)
     end
 
     def opposite_direction
-      direction.to_sym == :asc ? :desc : :asc
+      direction == :asc ? :desc : :asc
     end
 
     def order_by_association(relation)

spec/lib/administrate/order_spec.rb+11 −0 modified

@@ -51,6 +51,17 @@
         expect(relation).to have_received(:reorder).with("table_name.name desc")
         expect(ordered).to eq(relation)
       end
+
+      it "sanitizes arbitary direction parameters" do
+        order = Administrate::Order.new(:name, :foo)
+        relation = relation_with_column(:name)
+        allow(relation).to receive(:reorder).and_return(relation)
+
+        ordered = order.apply(relation)
+
+        expect(relation).to have_received(:reorder).with("table_name.name asc")
+        expect(ordered).to eq(relation)
+      end
     end
 
     context "when relation has_many association" do

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2p5p-m353-833wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-5257ghsaADVISORY
github.com/rubysec/ruby-advisory-db/blob/master/gems/administrate/CVE-2020-5257.ymlghsaWEB
github.com/thoughtbot/administrate/commit/3ab838b83c5f565fba50e0c6f66fe4517f98eed3ghsax_refsource_MISCWEB
github.com/thoughtbot/administrate/security/advisories/GHSA-2p5p-m353-833wghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000