Search for packages
| purl | pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2 |
| Next non-vulnerable version | 2:7.2.3.1+dfsg-1 |
| Latest non-vulnerable version | 2:7.2.3.1+dfsg-1 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3hur-esmy-x3hr
Aliases: CVE-2024-47888 GHSA-wwhv-wxv9-rpgw |
Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888. Impact ------ Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2 Credits ------- Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report! |
Affected by 9 other vulnerabilities. |
|
VCID-4tzv-1t1b-t3g3
Aliases: CVE-2026-33169 GHSA-cg4j-q9v8-6v38 |
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited ### Impact `NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters. This could produce quadratic time complexity on long digit strings. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-5tky-d2en-u7c7
Aliases: CVE-2026-33170 GHSA-89vf-4333-qx8v |
Rails Active Support has a possible XSS vulnerability in SafeBuffer#% ### Impact `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-6pxd-xsaw-tuer
Aliases: CVE-2023-38037 GHSA-cr5q-6q9f-rq6q |
Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5 |
Affected by 9 other vulnerabilities. |
|
VCID-96qr-hdbp-p7ff
Aliases: CVE-2026-33168 GHSA-v55j-83pf-r9cq |
Rails has a possible XSS vulnerability in its Action View tag helpers ### Impact When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-a6z9-5n6k-2kak
Aliases: CVE-2026-33173 GHSA-qcfx-2mfw-w4cg |
Rails Active Storage has possible content type bypass via metadata in direct uploads ### Impact Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a malicious direct-upload client could set these flags. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-ad6q-vtdf-syb6
Aliases: CVE-2026-33658 GHSA-p9fm-f462-ggrg |
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests ### Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-dd9p-x7k3-37ea
Aliases: CVE-2023-28362 GHSA-4g8v-vg43-wpgf |
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362. Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4 |
Affected by 9 other vulnerabilities. |
|
VCID-g3rk-djae-pkeh
Aliases: CVE-2024-54133 GHSA-vfm5-rmrh-j26v |
Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact ------ Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. Credits ------- Thanks to [ryotak](https://hackerone.com/ryotak) for the report! |
Affected by 9 other vulnerabilities. |
|
VCID-hatd-vkun-13hj
Aliases: CVE-2026-33202 GHSA-73f9-jhhh-hr5m |
Rails Active Storage has possible glob injection in its DiskService ### Impact Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-n8r7-wthv-fqaj
Aliases: CVE-2022-32224 GHSA-3hhc-qp5v-9p2j GMS-2022-3029 |
Active Record RCE bug with Serialized Columns When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted. |
Affected by 9 other vulnerabilities. |
|
VCID-qxe4-dubt-1kfp
Aliases: CVE-2026-33174 GHSA-r46p-8f7g-vvvg |
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests ### Impact When serving files through Active Storage's `Blobs::ProxyController`, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-sarm-n22v-akcm
Aliases: CVE-2026-33176 GHSA-2j26-frm8-cmj9 |
Rails Active Support has a possible DoS vulnerability in its number helpers ### Impact Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-sfyc-jewr-wuf5
Aliases: CVE-2024-47887 GHSA-vfg9-r3fq-jvx4 |
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887. Impact ------ For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for reporting |
Affected by 9 other vulnerabilities. |
|
VCID-sgdb-985e-4uej
Aliases: CVE-2024-41128 GHSA-x76w-6vjr-8xgj |
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128. Impact ------ Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches! |
Affected by 9 other vulnerabilities. |
|
VCID-sygb-mygd-s3gb
Aliases: CVE-2022-44566 GHSA-579w-22j4-4749 GMS-2023-59 |
Duplicate This advisory duplicates another. |
Affected by 9 other vulnerabilities. |
|
VCID-wpmk-wgpm-cuee
Aliases: CVE-2026-33195 GHSA-9xrj-h377-fr87 |
Rails Active Storage has possible Path Traversal in DiskService ### Impact Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. ### Releases The fixed releases are available at the normal locations. |
Affected by 0 other vulnerabilities. |
|
VCID-yy6t-ybeu-qycc
Aliases: CVE-2024-47889 GHSA-h47h-mwp9-c6q6 |
Possible ReDoS vulnerability in block_format in Action Mailer There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889. Impact ------ Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling the `block_format` helper or upgrade to Ruby 3.2 Credits ------- Thanks to yuki_osaki for the report! |
Affected by 9 other vulnerabilities. |
|
VCID-yzpx-3gam-y3bu
Aliases: CVE-2025-24293 GHSA-r4mg-4433-c7g3 |
Active Storage allowed transformation methods that were potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. This has been assigned the CVE identifier CVE-2025-24293. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1 Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this! |
Affected by 9 other vulnerabilities. |
|
VCID-zqzx-avvt-wkhm
Aliases: CVE-2025-55193 GHSA-76r7-hhxj-r776 |
Active Record logging vulnerable to ANSI escape injection This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability |
Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-12x8-jxdf-jqdz | Actionpack Open Redirect Vulnerability The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. |
CVE-2021-22881
GHSA-8877-prq4-9xfw |
| VCID-19fr-55kr-hyax | rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements NOTE: rails-ujs is part of Rails/actionview since 5.1.0. There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute. This vulnerability has been assigned the CVE identifier CVE-2023-23913. Not affected: < 5.1.0 Versions Affected: >= 5.1.0 Fixed Versions: 6.1.7.3, 7.0.4.3 Impact If the specified malicious HTML clipboard content is provided to a contenteditable element, this could result in the arbitrary execution of javascript on the origin in question. Releases The FIXED releases are available at the normal locations. Workarounds We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can attempt to mitigate this vulnerability by removing the contenteditable attribute from elements in pages that rails-ujs will interact with. Patches To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series * rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits We would like to thank ryotak 15 for reporting this! * rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB) * rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB) * rails-ujs-data-method-contenteditable-main.patch (8.9 KB) |
CVE-2023-23913
GHSA-xp5h-f8jf-rc8q |
| VCID-1bxs-yghe-cyck | URL Redirection to Untrusted Site ('Open Redirect') A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. |
CVE-2021-22942
GHSA-2rqw-v265-jf8c |
| VCID-1rxp-g9rz-4yb3 | Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input. |
CVE-2023-28120
GHSA-pj73-v5mw-pm9j GMS-2023-765 |
| VCID-1x8k-t8mr-3fgp | URL Redirection to Untrusted Site ('Open Redirect') A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. |
CVE-2021-44528
GHSA-qphc-hf5q-v8fc |
| VCID-31xv-z8c6-a7bg | XSS in Action View There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. ### Impact When an HTML-unsafe string is passed as the default for a missing translation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations), the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples: ```erb <%# The welcome_html translation is not defined for the current locale: %> <%= t("welcome_html", default: untrusted_user_controlled_string) %> <%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %> <%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %> ``` ### Patches Patched Rails versions, 6.0.3.3 and 5.2.4.4, are available from the normal locations. The patches have also been applied to the `master`, `6-0-stable`, and `5-2-stable` branches on GitHub. If you track any of these branches, you should update to the latest. To aid users who aren’t able to upgrade immediately, we’ve provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * [5-2-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-5-2-translate-helper-xss-patch) — patch for the 5.2 release series * [6-0-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-6-0-translate-helper-xss-patch) — patch for the 6.0 release series Please note that only the 5.2 and 6.0 release series are currently supported. Users of earlier, unsupported releases are advised to update as soon as possible, as we cannot provide security fixes for unsupported releases. ### Workarounds Impacted users who can’t upgrade to a patched Rails version can avoid this issue by manually escaping default translations with the `html_escape` helper (aliased as `h`): ```erb <%= t("welcome_html", default: h(untrusted_user_controlled_string)) %> ``` |
CVE-2020-15169
GHSA-cfjv-5498-mph5 |
| VCID-5qu2-b8gt-7qe3 | Active Record subject to Regular Expression Denial-of-Service (ReDoS) The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. |
CVE-2021-22880
GHSA-8hc4-xxm3-5ppp |
| VCID-63gy-6njy-kbd8 | ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
CVE-2023-22792
GHSA-p84v-45xj-wwqj GMS-2023-58 |
| VCID-6ku5-mtgz-zygw | Duplicate This advisory duplicates another. |
CVE-2023-22796
GHSA-j6gc-792m-qgm2 GMS-2023-61 |
| VCID-895a-ydc5-zfg6 | Circumvention of file size limits in ActiveStorage There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user. Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1 Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. |
CVE-2020-8162
GHSA-m42x-37p3-fv5w |
| VCID-a6sp-18av-wya6 | Possible Strong Parameters Bypass in ActionPack There is a strong parameters bypass vector in ActionPack. Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: ``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end ``` Note the mistaken use of `each` in the `clean_up_params` method in the above example. Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application. |
CVE-2020-8164
GHSA-8727-m6gj-mc37 |
| VCID-ce39-j83r-6ug9 | Duplicate This advisory duplicates another. |
CVE-2022-22577
GHSA-mm33-5vfq-3mm3 GMS-2022-1137 |
| VCID-drg6-gj1f-h7ea | Duplicate This advisory duplicates another. |
CVE-2022-21831
GHSA-w749-p3v6-hccq GMS-2022-301 |
| VCID-es1t-7196-4kbb | CSRF Vulnerability in rails-ujs There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails <= 6.0.3 Not affected: Applications which don't use rails-ujs. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent. Workarounds ----------- To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters. For example, code like this: link_to params to code like this: link_to filtered_params def filtered_params # Filter just the parameters that you trust end |
CVE-2020-8167
GHSA-xq5j-gw7f-jgj8 |
| VCID-gjey-bqtd-kqa1 | Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Impact ------ There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. Vulnerable code will look like this. ``` redirect_to(params[:some_param]) ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example, ```ruby private def check(param) case param when "valid" param else "/" end end def index redirect_to(check(params[:some_param])) end ``` Or force the user input to be cast to a string like this, ```ruby def index redirect_to(params[:some_param].to_s) end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-information-disclosure.patch - Patch for 5.2 series * 6-0-information-disclosure.patch - Patch for 6.0 series * 6-1-information-disclosure.patch - Patch for 6.1 series Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Benoit Côté-Jodoin from Shopify for reporting this. |
CVE-2021-22885
GHSA-hjg4-8q5f-x6fm |
| VCID-hppf-a715-r7b2 | ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
CVE-2023-22795
GHSA-8xww-x3g3-6jcv GMS-2023-56 |
| VCID-jwun-grgg-2uet | Exposure of information in Action Pack Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used. |
CVE-2022-23633
CVE-2022-23634 GHSA-rmj8-8hhh-gv5h GHSA-wh98-p28r-vrc9 |
| VCID-mnkw-23eu-bkgc | Ability to forge per-form CSRF tokens in Rails It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session. Impact ------ Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. |
CVE-2020-8166
GHSA-jp5v-5gx4-jmj9 |
| VCID-p5mc-r1rg-5ff7 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview. |
CVE-2022-27777
GHSA-ch3h-j2vf-95pv GMS-2022-1138 |
| VCID-t684-yp58-hkg8 | ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like: ``` data = cache.fetch("demo", raw: true) { untrusted_string } ``` Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum, this vulnerability allows an attacker to inject untrusted Ruby objects into a web application. In addition to upgrading to the latest versions of Rails, developers should ensure that whenever they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes, detect if data was serialized using the raw option upon deserialization. Workarounds ----------- It is recommended that application developers apply the suggested patch or upgrade to the latest release as soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using the `raw` argument should be double-checked to ensure that they conform to the expected format. |
CVE-2020-8165
GHSA-2p68-f74v-9wc6 |
| VCID-t9yh-ss8z-e3cb | Duplicate This advisory duplicates another. |
CVE-2023-22794
GHSA-hq7p-j377-6v63 GMS-2023-60 |
| VCID-v9mt-t1pb-hybk | Cross site scripting vulnerability in ActionView There is a possible cross site scripting (XSS) vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. ### Impact There is a possible XSS vulnerability in the `j` and `escape_javascript` methods in ActionView. These methods are used for escaping JavaScript string literals. Impacted code will look something like this: ```erb <script>let a = `<%= j unknown_input %>`</script> ``` or ```erb <script>let a = `<%= escape_javascript unknown_input %>`</script> ``` ### Releases The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations. ### Workarounds For those that can't upgrade, the following monkey patch may be used: ```ruby ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!( { "`" => "\\`", "$" => "\\$" } ) module ActionView::Helpers::JavaScriptHelper alias :old_ej :escape_javascript alias :old_j :j def escape_javascript(javascript) javascript = javascript.to_s if javascript.empty? result = "" else result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) end javascript.html_safe? ? result.html_safe : result end alias :j :escape_javascript end ``` ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * [5-2-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-5-2-js-helper-xss-patch) - Patch for 5.2 series * [6-0-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-6-0-js-helper-xss-patch) - Patch for 6.0 series Please note that only the 5.2 and 6.0 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. ### Credits Thanks to Jesse Campos from Chef Secure |
CVE-2020-5267
GHSA-65cv-r6x7-79hv |
| VCID-wg3a-j2dp-ayh4 | Possible DoS Vulnerability in Action Controller Token Authentication There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 Impact ------ Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. Impacted code will look something like this: ``` class PostsController < ApplicationController before_action :authenticate private def authenticate authenticate_or_request_with_http_token do |token, options| # ... end end end ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue: ```ruby module ActionController::HttpAuthentication::Token AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-http-authentication-dos.patch - Patch for 5.2 series * 6-0-http-authentication-dos.patch - Patch for 6.0 series * 6-1-http-authentication-dos.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue! |
CVE-2021-22904
GHSA-7wjx-3g7j-8584 |
| VCID-wyy6-h8bq-vyde | Denial of Service in Action Dispatch Impact ------ There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue. ```ruby module Mime class Type MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/ end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.0 series * 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Security Curious <security...@pm.me> for reporting this! |
CVE-2021-22902
GHSA-g8ww-46x2-2p65 |
| VCID-zy7d-3db6-sydw | Cross-site scripting in actionpack In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware. Workarounds ----------- Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb: `config.middleware.delete ActionDispatch::ActionableExceptions` |
CVE-2020-8264
GHSA-35mm-cc6r-8fjp |