[Security] Bump rails from 5.2.0 to 5.2.2.1 by dependabot-preview[bot] · Pull Request #13 · lyuich/sample-rails-ruby
Sourced from The GitHub Security Advisory Database.
Critical severity vulnerability that affects actionview
Denial of Service Vulnerability in Action View
Impact
Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests. This impacts all Rails applications that render views.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations.
Workarounds
This vulnerability can be mitigated by wrapping
... (truncated)rendercalls withrespond_toblocks. For example, the following example is vulnerable:Affected versions: >= 5.2.0, <= 5.2.2
Sourced from The GitHub Security Advisory Database.
High severity vulnerability that affects actionview
File Content Disclosure in Action View
Impact
There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to
render file:can cause arbitrary files on the target server to be rendered, disclosing the file contents.The impact is limited to calls to
renderwhich render file contents without a specified accept format. Impacted code in a controller looks something like this:... (truncated)class UserController < ApplicationController def index render file: "#{Rails.root}/some/file" end endAffected versions: >= 5.2.0, <= 5.2.2
Sourced from The GitHub Security Advisory Database.
Moderate severity vulnerability that affects railties
Possible Remote Code Execution Exploit in Rails Development Mode
Impact
With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations.
Workarounds
This issue can be mitigated by specifying a secret key in development mode. In "config/environments/development.rb" add this:
... (truncated)Affected versions: >= 5.2.0, <= 5.2.2
Sourced from The Ruby Advisory Database.
Bypass vulnerability in Active Storage There is a vulnerability in Active Storage. This vulnerability has been assigned the CVE identifier CVE-2018-16477.
Impact
Signed download URLs generated by
ActiveStoragefor Google Cloud Storage service and Disk service includecontent-dispositionandcontent-typeparameters that an attacker can modify. This can be used to upload specially crafted HTML files and have them served and executed inline. Combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path.Vulnerable apps are those using either GCS or the Disk service in production. Other storage services such as S3 or Azure aren't affected.
All users running an affected release should either upgrade or use one of the workarounds immediately. For those using GCS, it's also recommended to run the following to update existing blobs:
ActiveStorage::Blob.find_each do |blob| blob.send :update_service_metadata endPatched versions: >=5.2.1.1 Unaffected versions: < 5.2.0
Sourced from The Ruby Advisory Database.
Broken Access Control vulnerability in Active Job There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.
Impact
Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.
Vulnerable code will look something like this:
MyJob.perform_later(user_input)All users running an affected release should either upgrade or use one of the workarounds immediately.
Patched versions: >= 4.2.11, < 5.0.0; >= 5.0.7.1, < 5.1.0; >= 5.1.6.1, < 5.2.0; >= 5.2.1.1 Unaffected versions: < 4.2.0
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.
You can always request more updates by clicking Bump now in your Dependabot dashboard.