[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage

2,340 views
Skip to first unread message

Aaron Patterson

unread,
Mar 8, 2022, 1:41:06 PM3/8/22
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com
There is a possible code injection vulnerability in the Active Storage module
of Rails. This vulnerability has been assigned the CVE identifier
CVE-2022-21831.

Versions Affected:  >= 5.2.0
Not affected:       < 5.2.0
Fixed Versions:     7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3

Impact
------
There is a possible code injection vulnerability in the Active Storage module
of Rails.  This vulnerability impacts applications that use Active Storage
with the image_processing processing in addition to the mini_magick back end
for image_processing.

Vulnerable code will look something similar to this:

```ruby
<%= image_tag blob.variant(params[:t] => params[:v]) %>
```

Where the transformation method or its arguments are untrusted arbitrary
input.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
To work around this issue, applications should implement a strict allow-list
on accepted transformation methods or arguments.  Additionally, a strict image
magick security policy will help mitigate this issue.

  https://imagemagick.org/script/security-policy.php

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 5-2-active-storage-code-injection.patch - Patch for 5.2 series
* 6-0-active-storage-code-injection.patch - Patch for 6.0 series
* 6-1-active-storage-code-injection.patch - Patch for 6.1 series
* 7-0-active-storage-code-injection.patch - Patch for 7.0 series

Please note that only the 7.0.Z, 6.1.Z, 6.0.Z, and 5.2.Z series are supported
at present. Users of earlier unsupported releases are advised to upgrade as
soon as possible as we cannot guarantee the continued availability of security
fixes for unsupported releases.

Credits
-------

Thanks to [@gquadros_](https://hackerone.com/gquadros_) for reporting this and
Zack Deveau of Shopify for writing the patches
5-2-active-storage-code-injection.patch
6-0-active-storage-code-injection.patch
7-0-active-storage-code-injection.patch
6-1-active-storage-code-injection.patch
Reply all
Reply to author
Forward
0 new messages