Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2019-5420

Remote Code Execution
Affects
Ruby on Rails Framework
6.0.0.0 - <= 6.0.0.beta2 5.2.0.0 - <= 5.2.2.0
in
Rails
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Ruby on Rails (often called Rails) is a web application framework written in Ruby that emphasizes convention over configuration and the principle of "don't repeat yourself" (DRY). It provides developers with a structured and efficient way to build database-backed web applications through pre-built patterns for rapid development. 

WIth this vulnerability, it is possible to guess the token automatically generated by the Action Job gem thereby allowing a malicious actor to perform path traversal and, ultimately, possibly execute remote code.

Remote code execution flaws are among the Top 10 Open Web Application Security Project (OWASP) vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected, remotely executed code:

  • can access internal application objects/methods
  • can often bypass security controls
  • may persist across sessions
  • can often pivot to gain OS-level access.

All users running an affected release should apply the workaround or upgrade immediately.

Details

Module Info

  • Product: Ruby on Rails Framework
  • Affected packages: actionjob
  • GitHub repository:
    https://github.com/rails/rails
  • Published package: The individual activejob gem or the entire Rails Framework gem (which includes activejob).
  • Package manager: gem

Vulnerability Info

The development token (secret_key_base) in Rails is normally used to verify that requests to view error pages in development mode are coming from legitimate local development sessions. It helps prevent unauthorized users from accessing potentially sensitive debugging information that might be exposed in error pages and logs while developers are working on the application locally.

This exploit is a path traversal vulnerability in which the lack of a specified file format is overly permissive when reading files using this mechanism.

The workaround specified below ensures that only the developer can generate tokens that correspond with the hash value assigned to secret_key_base.

Workarounds

This issue can be mitigated by specifying a secret key in development mode. In "config/environments/development.rb" add the following assignment:

config.secret_key_base = SecureRandom.hex(64)

Credits

Mitigation

Users of affected versions of Ruby on Rails should follow one of the following mitigations:

  • Upgrade to a corrected version.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2013-0277
CVE-2019-5418
CVE-2019-5420
CVE-2020-8159
CVE-2020-8165
CVE-2022-21831
CVE-2022-30123
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2019-5420
PROJECT Affected
Ruby on Rails Framework
Versions Affected
6.0.0.0 - <= 6.0.0.beta2 5.2.0.0 - <= 5.2.2.0
Published date
March 27, 2019
≈ Fix date
March 27, 2019
Fixed in
Ruby on Rails NES
Severity
Critical
Category
Remote Code Execution