[CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
3,103 views
Skip to first unread message
Aaron Patterson
May 18, 2020, 11:56:15 AM5/18/20
to rubyonrail...@googlegroups.com, ruby-sec...@googlegroups.com
# Possible Strong Parameters Bypass in ActionPack
There is a strong parameters bypass vector in ActionPack. This vulnerability has been
assigned the CVE identifier CVE-2020-8164.
Versions Affected: rails <= 6.0.3
Not affected: rails < 4.0.0
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters. Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters. Applications that use this return value may be
inadvertently use untrusted user input.
Impacted code will look something like this:
```
def update
# Attacker has included the parameter: `{ is_admin: true }`
User.update(clean_up_params)
end
def clean_up_params
params.each { |k, v| SomeModel.check(v) if k == :name }
end
```
Note the mistaken use of `each` in the `clean_up_params` method in the above
example.
Releases
--------
The 5.2.4.3 and 6.0.3.1 releases are available at the normal locations.
Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 5-2-strong-params.patch - Patch for 5.2 series
* 6-0-strong-params.patch - Patch for 6.0 series
Please note that only the 6.0 and 5.2 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.
Credits
-------
Thanks to Achilleas (@abuisman) for reporting this issue via our HackerOne bug bounty program
There is a strong parameters bypass vector in ActionPack. This vulnerability has been
assigned the CVE identifier CVE-2020-8164.
Versions Affected: rails <= 6.0.3
Not affected: rails < 4.0.0
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters. Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters. Applications that use this return value may be
inadvertently use untrusted user input.
Impacted code will look something like this:
```
def update
# Attacker has included the parameter: `{ is_admin: true }`
User.update(clean_up_params)
end
def clean_up_params
params.each { |k, v| SomeModel.check(v) if k == :name }
end
```
Note the mistaken use of `each` in the `clean_up_params` method in the above
example.
Releases
--------
The 5.2.4.3 and 6.0.3.1 releases are available at the normal locations.
Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 5-2-strong-params.patch - Patch for 5.2 series
* 6-0-strong-params.patch - Patch for 6.0 series
Please note that only the 6.0 and 5.2 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.
Credits
-------
Thanks to Achilleas (@abuisman) for reporting this issue via our HackerOne bug bounty program
Reply all
Reply to author
Forward
0 new messages