-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2022-21831.yml
51 lines (43 loc) · 1.56 KB
/
CVE-2022-21831.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
---
gem: activestorage
framework: rails
cve: 2022-21831
ghsa: w749-p3v6-hccq
url: https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI
title: Possible code injection vulnerability in Rails / Active Storage
date: 2022-03-08
description: |
There is a possible code injection vulnerability in the Active Storage module
of Rails. This vulnerability has been assigned the CVE identifier
CVE-2022-21831.
Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3
Impact
------
There is a possible code injection vulnerability in the Active Storage module
of Rails. This vulnerability impacts applications that use Active Storage
with the image_processing processing in addition to the mini_magick back end
for image_processing.
Vulnerable code will look something similar to this:
```ruby
<%= image_tag blob.variant(params[:t] => params[:v]) %>
```
Where the transformation method or its arguments are untrusted arbitrary
input.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Workarounds
-----------
To work around this issue, applications should implement a strict allow-list
on accepted transformation methods or arguments. Additionally, a strict image
magick security policy will help mitigate this issue.
https://imagemagick.org/script/security-policy.php
cvss_v3: 9.8
unaffected_versions:
- "< 5.2.0"
patched_versions:
- "~> 5.2.6, >= 5.2.6.3"
- "~> 6.0.4, >= 6.0.4.7"
- "~> 6.1.4, >= 6.1.4.7"
- ">= 7.0.2.3"