GHSA-w749-p3v6-hccq

Suggest an improvement
Source
https://github.com/advisories/GHSA-w749-p3v6-hccq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-w749-p3v6-hccq/GHSA-w749-p3v6-hccq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w749-p3v6-hccq
Aliases
Published
2022-03-08T21:25:54Z
Modified
2024-02-20T05:34:32.510872Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Possible code injection vulnerability in Rails / Active Storage
Details

The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.

References

Affected packages

RubyGems / activestorage

Package

Name
activestorage
Purl
pkg:gem/activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
5.2.6.3

Affected versions

5.*

5.2.0
5.2.1.rc1
5.2.1
5.2.1.1
5.2.2.rc1
5.2.2
5.2.2.1
5.2.3.rc1
5.2.3
5.2.4.rc1
5.2.4
5.2.4.1
5.2.4.2
5.2.4.3
5.2.4.4
5.2.4.5
5.2.4.6
5.2.5
5.2.6
5.2.6.1
5.2.6.2

Database specific

{
    "last_known_affected_version_range": "<= 5.2.6.2"
}

RubyGems / activestorage

Package

Name
activestorage
Purl
pkg:gem/activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.4.7

Affected versions

6.*

6.0.0
6.0.1.rc1
6.0.1
6.0.2.rc1
6.0.2.rc2
6.0.2
6.0.2.1
6.0.2.2
6.0.3.rc1
6.0.3
6.0.3.1
6.0.3.2
6.0.3.3
6.0.3.4
6.0.3.5
6.0.3.6
6.0.3.7
6.0.4
6.0.4.1
6.0.4.2
6.0.4.3
6.0.4.4
6.0.4.5
6.0.4.6

Database specific

{
    "last_known_affected_version_range": "<= 6.0.4.6"
}

RubyGems / activestorage

Package

Name
activestorage
Purl
pkg:gem/activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.4.7

Affected versions

6.*

6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.3
6.1.3.1
6.1.3.2
6.1.4
6.1.4.1
6.1.4.2
6.1.4.3
6.1.4.4
6.1.4.5
6.1.4.6

Database specific

{
    "last_known_affected_version_range": "<= 6.1.4.6"
}

RubyGems / activestorage

Package

Name
activestorage
Purl
pkg:gem/activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.2.3

Affected versions

7.*

7.0.0
7.0.1
7.0.2
7.0.2.1
7.0.2.2

Database specific

{
    "last_known_affected_version_range": "<= 7.0.2.2"
}