With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit. External References: https://groups.google.com/d/msg/rubyonrails-security/IsQKvDqZdKw/UYgRCJz2CgAJ
Created rubygem-rails tracking bugs for this issue: Affects: fedora-all [bug 1689155]
References: https://seclists.org/oss-sec/2019/q1/176
Looks like this was introduced via https://github.com/rails/rails/commit/69f976b859cae7f9d050152103da018b7f5dda6d The versions we ship do not contain this change yet and are not affected by this issue.
Statement: This issue did not affect the versions of rh-ror42-rubygem-rails and rh-ror50-rubygem-rails as shipped with Red Hat Software Collections.
Note for affected versions. > Versions Affected: 6.0.0.X, 5.2.X. > Fixed Versions: 6.0.0.beta3, 5.2.2.1 > https://groups.google.com/d/msg/rubyonrails-security/IsQKvDqZdKw/UYgRCJz2CgAJ