In the scenario where an attacker might be able to control the name of a local passed into `render`, they can achieve remote code execution. Reference: https://groups.google.com/forum/#!msg/rubyonrails-security/hWuKcHyoKh0/9Zk-qxXXAAAJ
We have very limited information since reproducer is not public from HackerOne/reporter/rails. According to newest patch, vulnerable code of following locations has this problem. activesupport/lib/active_support/core_ext/module/delegation.rb actionview/lib/action_view/template.rb That means, with rubygem-rails bundle, individual activesupport and actionview gems are also affected. This issue has been fixed in rubygem-rails-4.2.11.3, rubygem-rails-5.0.1 or later.
External References: https://weblog.rubyonrails.org/2020/5/16/rails-4-2-11-3-has-been-released
Found out rails released new 4.2.11.3 version due to regression created after CVE fix in 4.2.11.2. More info: https://github.com/rails/rails/issues/39301
Should we track this with existing rubygem-rails multi-flawed Bugzilla for CloudForms and Satellite?
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8163