Описание
A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.
A flaw was found in the Active Storage module of Rails, where the transformation method or its arguments for image_processing are not trusted arbitrary input. This flaw allows an attacker to inject code in Rails.
Меры по смягчению последствий
To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict image magick security policy will help mitigate this issue: https://imagemagick.org/script/security-policy.php
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Satellite 6 | tfm-ror52-rubygem-rails | Not affected |
Показывать по
Дополнительная информация
Статус:
9.8 Critical
CVSS3
Связанные уязвимости
A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.
A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.
A code injection vulnerability exists in the Active Storage >= v5.2.0 ...
Possible code injection vulnerability in Rails / Active Storage
Уязвимость модуля Active Storage программной платформы Ruby on Rails, позволяющая нарушителю выполнить произвольный код
9.8 Critical
CVSS3