Bug 1842634 (CVE-2020-8164)

Summary: CVE-2020-8164 rubygem-actionpack: possible strong parameters bypass
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, bkearney, bmidwood, btotty, dmetzger, gmccullo, gtanzill, hhudgeon, jaruga, jhardy, lzap, mmccune, mo, nmoumoul, pvalena, rchan, rjerrido, roliveri, ruby-packagers-sig, simaishi, smallamp, sokeeffe, sseago, strzibny, vondruch, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-actionpack-5.2.4.3, rubygem-actionpack-6.0.3.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-actionpack. Untrusted hashes of data is possible for values of `each`, `each_value`, and `each_pair` which can lead to cases of user supplied information being leaked from Strong Parameters. Applications that use these hashes may inadvertently use untrusted user input. The highest risk from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-08 13:50:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1842635, 1842995, 1842996, 1846377    
Bug Blocks: 1842637    

Description Guilherme de Almeida Suckevicz 2020-06-01 18:16:43 UTC 
There is a strong parameters bypass vector in ActionPack. In some cases user supplied information can be inadvertently leaked from Strong Parameters.  Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters.  Applications that use this return value may be inadvertently use untrusted user input.

Reference:
https://groups.google.com/forum/#!msg/rubyonrails-security/f6ioe4sdpbY/s8tBAMPAAQAJ
Comment 1 Guilherme de Almeida Suckevicz 2020-06-01 18:17:02 UTC 
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1842635]
Comment 3 Yadnyawalk Tale 2020-06-02 14:04:19 UTC 
External References:

https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
Comment 6 Yadnyawalk Tale 2020-06-02 14:23:18 UTC 
Statement:

Red Hat CloudForms and Red Hat Satellite ship affected RubyGem actionpack and uses strong parameters, however, products are not vulnerable since safe return values are used in product code.