Bug 1848724 (CVE-2020-8163)

Summary: CVE-2020-8163 rubygem-rails: potential remote code execution of user-provided local names
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, bkearney, bmidwood, btotty, dmetzger, gmccullo, gtanzill, hhudgeon, jfrey, jhardy, lzap, mmccune, mo, mtasaka, nmoumoul, obarenbo, pvalena, rchan, rjerrido, roliveri, ruby-packagers-sig, simaishi, smallamp, sokeeffe, sseago, s, strzibny, tdawson, vondruch, xlecauch, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-rails-4.2.11.3, rubygem-rails-5.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-22 17:20:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1848728    

Description Guilherme de Almeida Suckevicz 2020-06-18 20:14:47 UTC 
In the scenario where an attacker might be able to control the name of a local passed into `render`, they can achieve remote code execution.

Reference:
https://groups.google.com/forum/#!msg/rubyonrails-security/hWuKcHyoKh0/9Zk-qxXXAAAJ
Comment 1 Yadnyawalk Tale 2020-06-19 13:09:12 UTC 
We have very limited information since reproducer is not public from HackerOne/reporter/rails.

According to newest patch, vulnerable code of following locations has this problem. 
activesupport/lib/active_support/core_ext/module/delegation.rb
actionview/lib/action_view/template.rb

That means, with rubygem-rails bundle, individual activesupport and actionview gems are also affected.
This issue has been fixed in rubygem-rails-4.2.11.3, rubygem-rails-5.0.1 or later.
Comment 2 Yadnyawalk Tale 2020-06-19 13:09:17 UTC 
External References:

https://weblog.rubyonrails.org/2020/5/16/rails-4-2-11-3-has-been-released
Comment 3 Yadnyawalk Tale 2020-06-19 13:17:07 UTC 
Found out rails released new 4.2.11.3 version due to regression created after CVE fix in 4.2.11.2.
More info: https://github.com/rails/rails/issues/39301
Comment 4 Yadnyawalk Tale 2020-06-19 13:45:10 UTC 
Should we track this with existing rubygem-rails multi-flawed Bugzilla for CloudForms and Satellite?
Comment 7 Product Security DevOps Team 2020-06-22 17:20:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8163