Bug 2108997 (CVE-2022-32224)
Summary: | CVE-2022-32224 activerecord: Possible RCE escalation bug with Serialized Columns in Active Record | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | bbuckingham, bcourt, bdm, btotty, ehelms, jsherril, lzap, mhulan, mmccune, ngalvin, nmoumoul, orabin, pcreech, pdwyer, rchan, skonish, sliau, ytale |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-activerecord 7.0.3.1, rubygem-activerecord 6.1.6.1, rubygem-activerecord 6.0.5.1, rubygem-activerecord 5.2.8.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
An insecure deserialization flaw was found in Active Record, which uses YAML.unsafe_load to convert the YAML data into Ruby objects. An attacker supplying crafted data to the database can perform remote code execution (RCE), resulting in complete system compromise.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-03-07 18:28:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2109055, 2110507, 2110508, 2166740 | ||
Bug Blocks: | 2107212 |
Description
Borja Tarraso
2022-07-20 09:05:03 UTC
This issue has been addressed in the following products: Red Hat Satellite 6.12 for RHEL 8 Via RHSA-2023:0261 https://access.redhat.com/errata/RHSA-2023:0261 This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 8 Red Hat Satellite 6.11 for RHEL 7 Via RHSA-2023:1151 https://access.redhat.com/errata/RHSA-2023:1151 This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097 |