GHSA-w749-p3v6-hccq

Source

https://github.com/advisories/GHSA-w749-p3v6-hccq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-w749-p3v6-hccq/GHSA-w749-p3v6-hccq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w749-p3v6-hccq

Aliases

CVE-2022-21831

Published

2022-03-08T21:25:54Z

Modified

2024-02-20T05:38:21.363295Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Possible code injection vulnerability in Rails / Active Storage

Details

The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.

References

Affected packages

RubyGems / activestorage

Package

Name: activestorage
Purl: pkg:gem/activestorage

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.6.3

Affected versions

5.*

5.2.0

5.2.1.rc1

5.2.1

5.2.1.1

5.2.2.rc1

5.2.2

5.2.2.1

5.2.3.rc1

5.2.3

5.2.4.rc1

5.2.4

5.2.4.1

5.2.4.2

5.2.4.3

5.2.4.4

5.2.4.5

5.2.4.6

5.2.5

5.2.6

5.2.6.1

5.2.6.2

Database specific

{
    "last_known_affected_version_range": "<= 5.2.6.2"
}

RubyGems / activestorage

Package

Name: activestorage
Purl: pkg:gem/activestorage

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.4.7

Affected versions

6.*

6.0.0

6.0.1.rc1

6.0.1

6.0.2.rc1

6.0.2.rc2

6.0.2

6.0.2.1

6.0.2.2

6.0.3.rc1

6.0.3

6.0.3.1

6.0.3.2

6.0.3.3

6.0.3.4

6.0.3.5

6.0.3.6

6.0.3.7

6.0.4

6.0.4.1

6.0.4.2

6.0.4.3

6.0.4.4

6.0.4.5

6.0.4.6

Database specific

{
    "last_known_affected_version_range": "<= 6.0.4.6"
}

RubyGems / activestorage

Package

Name: activestorage
Purl: pkg:gem/activestorage

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.4.7

Affected versions

6.*

6.1.0

6.1.1

6.1.2

6.1.2.1

6.1.3

6.1.3.1

6.1.3.2

6.1.4

6.1.4.1

6.1.4.2

6.1.4.3

6.1.4.4

6.1.4.5

6.1.4.6

Database specific

{
    "last_known_affected_version_range": "<= 6.1.4.6"
}

RubyGems / activestorage

Package

Name: activestorage
Purl: pkg:gem/activestorage

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.2.3

Affected versions

7.*

7.0.0

7.0.1

7.0.2

7.0.2.1

7.0.2.2

Database specific

{
    "last_known_affected_version_range": "<= 7.0.2.2"
}