CVE-2022-46163 – travel-support-program vulnerable to data exfiltration via Ransack query injection

https://notcve.org/view.php?id=CVE-2022-46163

Travel support program is a rails app to support the travel support program of openSUSE (TSP). Sensitive user data (bank account details, password Hash) can be extracted via Ransack query injection. Every deployment of travel-support-program below the patched version is affected. The travel-support-program uses the Ransack library to implement search functionality. In its default configuration, Ransack will allow for query conditions based on properties of associated database objects [1]. • https://github.com/openSUSE/travel-support-program/commit/d22916275c51500b4004933ff1b0a69bc807b2b7 https://github.com/openSUSE/travel-support-program/pull/158 https://github.com/openSUSE/travel-support-program/security/advisories/GHSA-2wwv-c6xh-cf68 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •