Bug 1842634 (CVE-2020-8164)
Summary: | CVE-2020-8164 rubygem-actionpack: possible strong parameters bypass | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akarol, bbuckingham, bcourt, bkearney, bmidwood, btotty, dmetzger, gmccullo, gtanzill, hhudgeon, jaruga, jhardy, lzap, mmccune, mo, nmoumoul, pvalena, rchan, rjerrido, roliveri, ruby-packagers-sig, simaishi, smallamp, sokeeffe, sseago, strzibny, vondruch, xlecauch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-actionpack-5.2.4.3, rubygem-actionpack-6.0.3.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in rubygem-actionpack. Untrusted hashes of data is possible for values of `each`, `each_value`, and `each_pair` which can lead to cases of user supplied information being leaked from Strong Parameters. Applications that use these hashes may inadvertently use untrusted user input. The highest risk from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-08 13:50:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1842635, 1842995, 1842996, 1846377 | ||
Bug Blocks: | 1842637 |
Description
Guilherme de Almeida Suckevicz
2020-06-01 18:16:43 UTC
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1842635] External References: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released Statement: Red Hat CloudForms and Red Hat Satellite ship affected RubyGem actionpack and uses strong parameters, however, products are not vulnerable since safe return values are used in product code. |