CVE-2020-7981

sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data.
SQL Injection
Severity
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Atk. Vector
NETWORK
Atk. Complexity
LOW
Priv. Required
NONE
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
VendorProductVersion
rubygeocodergeocoder
𝑥
< 1.6.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-geocoder
bookworm
1.5.1-3
fixed
bullseye
1.5.1-3
fixed
sid
1.5.1-3
fixed
trixie
1.5.1-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-geocoder
focal
not-affected
eoan
ignored
bionic
dne
xenial
dne
trusty
dne