CVE-2022-46163

Name of the Vulnerable Software and Affected Versions travel-support-program versions prior to the patched version

Description The travel-support-program, a rails app supporting the openSUSE travel support program, is affected by a Ransack query injection issue. This allows sensitive user data, including bank account details and password hashes, to be extracted. The issue is exploited through the * start, * end, or * cont search matchers in the Ransack library, using character-by-character brute-force. A single bank account number can be extracted with less than 200 requests, and a password hash can be extracted with approximately 1200 requests, all within a few minutes.

Recommendations To resolve the issue, apply the patch committed in d22916275c51500b4004933ff1b0a69bc807b2b7. Alternatively, cherry-pick the patch, but ensure you have also applied the Rails 5.0 migration done in #150, including its dependent pull requests. As a temporary workaround, consider restricting access to the Ransack search functionality until the patch is applied.