Aaron Patterson
unread,May 18, 2020, 11:56:15 AM5/18/20Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to rubyonrail...@googlegroups.com, ruby-sec...@googlegroups.com
# Possible Strong Parameters Bypass in ActionPack
There is a strong parameters bypass vector in ActionPack. This vulnerability has been
assigned the CVE identifier CVE-2020-8164.
Versions Affected: rails <= 6.0.3
Not affected: rails < 4.0.0
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters. Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters. Applications that use this return value may be
inadvertently use untrusted user input.
Impacted code will look something like this:
```
def update
# Attacker has included the parameter: `{ is_admin: true }`
User.update(clean_up_params)
end
def clean_up_params
params.each { |k, v| SomeModel.check(v) if k == :name }
end
```
Note the mistaken use of `each` in the `clean_up_params` method in the above
example.
Releases
--------
The 5.2.4.3 and 6.0.3.1 releases are available at the normal locations.
Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 5-2-strong-params.patch - Patch for 5.2 series
* 6-0-strong-params.patch - Patch for 6.0 series
Please note that only the 6.0 and 5.2 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.
Credits
-------
Thanks to Achilleas (@abuisman) for reporting this issue via our HackerOne bug bounty program