Bug 2064747 (CVE-2022-21831) - CVE-2022-21831 rubygem-activestorage: Code injection vulnerability in ActiveStorage
Summary: CVE-2022-21831 rubygem-activestorage: Code injection vulnerability in ActiveS...
Keywords:
Status: NEW
Alias: CVE-2022-21831
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2064748 2066631 2066632 2066633
Blocks: 2064750
TreeView+ depends on / blocked
 
Reported: 2022-03-16 13:28 UTC by Patrick Del Bello
Modified: 2024-03-06 09:37 UTC (History)
12 users (show)

Fixed In Version: rails-7.0.2.3, rails-6.1.4.7, rails-6.0.4.7, rails-5.2.6.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Active Storage module of Rails, where the transformation method or its arguments for image_processing are not trusted arbitrary input. This flaw allows an attacker to inject code in Rails.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Patrick Del Bello 2022-03-16 13:28:36 UTC
There is a possible code injection vulnerability in the Active Storage module
of Rails.  This vulnerability impacts applications that use Active Storage
with the image_processing processing in addition to the mini_magick back end
for image_processing.

Vulnerable code will look something similar to this:

```ruby
<%= image_tag blob.variant(params[:t] => params[:v]) %>
```

Where the transformation method or its arguments are untrusted arbitrary
input.


Versions Affected:  >= 5.2.0
  Not affected:       < 5.2.0
  Fixed Versions:     7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3


References: 
https://github.com/advisories/GHSA-w749-p3v6-hccq

Comment 1 Patrick Del Bello 2022-03-16 13:28:53 UTC
Created rubygem-activestorage tracking bugs for this issue:

Affects: fedora-all [bug 2064748]


Note You need to log in before you can comment on or make changes to this bug.