Bug 1852380 (CVE-2020-8185) - CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production
Summary: CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations i...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-8185
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1852381 1852503
Blocks: 1852382
TreeView+ depends on / blocked
 
Reported: 2020-06-30 10:07 UTC by Dhananjay Arunesh
Modified: 2021-12-14 18:47 UTC (History)
30 users (show)

Fixed In Version: rubygem-rails-6.0.3.2
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-30 17:20:37 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-06-30 10:07:24 UTC
There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.

References:
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8185.yml

Comment 1 Dhananjay Arunesh 2020-06-30 10:08:05 UTC
Created rubygem-rails tracking bugs for this issue:

Affects: fedora-all [bug 1852381]

Comment 4 Yadnyawalk Tale 2020-06-30 13:02:25 UTC
Upstream patch: https://github.com/rails/rails/commit/661da266b94909574426fd1121ef13b800e01b9a

Comment 5 Yadnyawalk Tale 2020-06-30 13:02:34 UTC
External References:

https://weblog.rubyonrails.org/2020/6/17/Rails-6-0-3-2-has-been-released

Comment 8 Yadnyawalk Tale 2020-06-30 14:49:03 UTC
Statement:

Red Hat Satellite and Red Hat CloudForms do not ship vulnerable versions of RubyGem Rails hence not affected to the flaw.

Comment 10 Product Security DevOps Team 2020-06-30 17:20:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8185


Note You need to log in before you can comment on or make changes to this bug.