Severity Rating: HIGH
Software Affected
•Rails versions 6.0.3 and prior to 6.0.3
•Rails versions prior to 5.2.5
•Rails versions prior to 6.0.4
•Rails versions prior to 5.2.4.2
•Rails versions prior to 6.0.3.1
Overview
Multiple vulnerabilities have been reported in RAILS that could allow a
remote attacker to cause Cross-Site Request Forgery and bypass controls on
the targeted system.
Description
1. Circumvention of file size limits in ActiveStorage ( CVE-2020-8162 )
This vulnerability exists in ActiveStorages S3 adapter that allows the
attacker to modify the Content-Length of a direct file upload. Successful
exploitation of this vulnerability could allow the attacker to control the
Content-Length of an S3 direct upload URL without receiving a new signature
from the server. This could be used to bypass controls in place on the
server to limit upload size.
2. Possible Strong Parameters Bypass in ActionPack ( CVE-2020-8164 )
This vulnerability is due to a strong parameters bypass vector in
ActionPack. The user supplied information can be inadvertently leaked from
Strong Parameters in some cases. Specifically the return value of
¿each¿, or ¿each_value¿,or¿each_pair¿ will return the underlying
"untrusted" hash of data that was read from the parameters. Applications
that use this return value may inadvertently use untrusted user input.
3. Potentially unintended unmarshalling of user-provided objects in
MemCacheStore and RedisCacheStore ( CVE-2020-8165 )
This vulnerability is due a potentially unexpected behaviour in the
MemCacheStore and RedisCacheStorewhile untrusted user input is written to
the cache store using the ¿raw: true¿ parameter.This will re-read the
result from the cache and can evaluate the user input as a Marshalled
object instead of plain text. Successful exploitation of this vulnerability
may allow a remote attacker to execute arbitrary code on the affected
system. The minimum impact is that this vulnerability allows the attacker
to inject untrusted Ruby objects into the web application.
4. Cross-site request forgery(CSRF) Vulnerability in authenticity_token
meta tag ( CVE-2020-8166 )
By using a global CSRF token, such as the one present in the
authenticity_token meta tag, an attacker can forge a per-form CSRF token
for any action for that session.
5. Cross-site request forgery(CSRF) Vulnerability in rails-ujs (
CVE-2020-8167 )
This vulnerability exists in rails-ujs that allows the attacker to send
CSRF tokens to wrong domains. By exploiting this vulnerability the attacker
is able to control the href attribute of an anchor tag or the action
attribute of a form tag that will trigger a POST action. Successful
exploitation of this vulnerability could allow the attacker to set the href
or action to a cross-origin URL, and the CSRF token will be sent.
Solution
Update to Rails 5.2.4.3 and 6.0.3.1
For more details refer vendor advisory at
n-released/
Vendor Information
References
CVE Name
CVE-2020-8162
CVE-2020-8164
CVE-2020-8165
CVE-2020-8166
CVE-2020-8167
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.
![Fwd: [CIAD-2020-0034] Multiple vulnerabilities in Apple macOS](http://3.bp.blogspot.com/-ZRo8fwgs65M/UZC2jMJpcLI/AAAAAAAAC5Y/EfoFQsr1wzU/s1600/BS+No+Image.gif )