Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.
This vulnerability affects Puppet Dashboard, which is installed on the console in Puppet Enterprise. It also affects ActiveRecord, which is used in stored configs on the master in Puppet Enterprise.
All users running an affected release should upgrade as soon as possible.
Impacted code passes user provided data to a dynamic finder like this:
More information can be found in the following post: