[CVE-2020-8163] Potential remote code execution of user-provided local names in Rails < 5.0.1
3,544 views
Skip to first unread message
Aaron Patterson
May 15, 2020, 12:34:04 PM5/15/20
to rubyonrail...@googlegroups.com, ruby-sec...@googlegroups.com
Potential remote code execution of user-provided local names in Rails < 5.0.1
There was a vulnerability in versions of Rails prior to 5.0.1 that would
allow an attacker who controlled the `locals` argument of a `render` call.
This vulnerability has been assigned the CVE identifier CVE-2020-8163.
Versions Affected: rails < 5.0.1
Not affected: Applications that do not allow users to control the names of locals.
Fixed Versions: 4.2.11.2
Impact
------
In the scenario where an attacker might be able to control the name of a
local passed into `render`, they can acheive remote code execution.
Releases
--------
Users of Rails 5.0 should upgrade to a version >= 5.0.1. This release is already
available on RubyGems.
Workarounds
-----------
Until such time as the patch can be applied, application developers should
ensure that all user-provided local names are alphanumeric.
Patches
-------
As mentioned above, we are releasing the following patch that should apply
cleanly to all releases prior to 5.0.1.
* 4-2-local-variable-restriction.patch
Credits
-------
Thanks to Marc Slemko for reporting this issue via our HackerOne bug bounty program.
There was a vulnerability in versions of Rails prior to 5.0.1 that would
allow an attacker who controlled the `locals` argument of a `render` call.
This vulnerability has been assigned the CVE identifier CVE-2020-8163.
Versions Affected: rails < 5.0.1
Not affected: Applications that do not allow users to control the names of locals.
Fixed Versions: 4.2.11.2
Impact
------
In the scenario where an attacker might be able to control the name of a
local passed into `render`, they can acheive remote code execution.
Releases
--------
Users of Rails 5.0 should upgrade to a version >= 5.0.1. This release is already
available on RubyGems.
Workarounds
-----------
Until such time as the patch can be applied, application developers should
ensure that all user-provided local names are alphanumeric.
Patches
-------
As mentioned above, we are releasing the following patch that should apply
cleanly to all releases prior to 5.0.1.
* 4-2-local-variable-restriction.patch
Credits
-------
Thanks to Marc Slemko for reporting this issue via our HackerOne bug bounty program.
Aaron Patterson
May 15, 2020, 2:44:10 PM5/15/20
to rubyonrail...@googlegroups.com, ruby-sec...@googlegroups.com
Hi,
There was an error in the patch so I’ve attached a new patch. Please apply this patch or upgrade to 4.2.11.3.
Thanks.
There was an error in the patch so I’ve attached a new patch. Please apply this patch or upgrade to 4.2.11.3.
Thanks.
Reply all
Reply to author
Forward
0 new messages