GHSA-8727-m6gj-mc37

Suggest an improvement
Source
https://github.com/advisories/GHSA-8727-m6gj-mc37
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-8727-m6gj-mc37/GHSA-8727-m6gj-mc37.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8727-m6gj-mc37
Aliases
Published
2020-05-26T15:09:16Z
Modified
2023-11-01T05:19:24.770014Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Possible Strong Parameters Bypass in ActionPack
Details

There is a strong parameters bypass vector in ActionPack.

Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.

Impacted code will look something like this:

def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end

Note the mistaken use of each in the clean_up_params method in the above example.

Workarounds

Do not use the return values of each, each_value, or each_pair in your application.

References

Affected packages

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.2.4.3

Affected versions

5.*

5.0.0
5.0.0.1
5.0.1.rc1
5.0.1.rc2
5.0.1
5.0.2.rc1
5.0.2
5.0.3
5.0.4.rc1
5.0.4
5.0.5.rc1
5.0.5.rc2
5.0.5
5.0.6.rc1
5.0.6
5.0.7
5.0.7.1
5.0.7.2
5.1.0.beta1
5.1.0.rc1
5.1.0.rc2
5.1.0
5.1.1
5.1.2.rc1
5.1.2
5.1.3.rc1
5.1.3.rc2
5.1.3.rc3
5.1.3
5.1.4.rc1
5.1.4
5.1.5.rc1
5.1.5
5.1.6
5.1.6.1
5.1.6.2
5.1.7.rc1
5.1.7
5.2.0.beta1
5.2.0.beta2
5.2.0.rc1
5.2.0.rc2
5.2.0
5.2.1.rc1
5.2.1
5.2.1.1
5.2.2.rc1
5.2.2
5.2.2.1
5.2.3.rc1
5.2.3
5.2.4.rc1
5.2.4
5.2.4.1
5.2.4.2

Database specific

{
    "last_known_affected_version_range": "<= 5.2.4.2"
}

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.3.1

Affected versions

6.*

6.0.0
6.0.1.rc1
6.0.1
6.0.2.rc1
6.0.2.rc2
6.0.2
6.0.2.1
6.0.2.2
6.0.3.rc1
6.0.3

Database specific

{
    "last_known_affected_version_range": "<= 6.0.3"
}