Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2022-21831

Remote Code Execution
Affects
Ruby on Rails Framework
7.0.0.0 - <= 7.0.2.2 6.1.0.0 - <= 6.1.4.6 6.0.0.0 - <= 6.0.4.6 5.2.0.0 - <= 5.2.6.2
in
Rails
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Ruby on Rails (often called Rails) is a web application framework written in Ruby that emphasizes convention over configuration and the principle of "don't repeat yourself" (DRY). It provides developers with a structured and efficient way to build database-backed web applications through pre-built patterns for rapid development. 

Rails applications that use Active Storage, image_processing and the mini_magick backend may be vulnerable to a code injection exploit.

Remote code execution flaws are among the Top 10 Open Web Application Security Project (OWASP) vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected, remotely executed code:

  • can access internal application objects/methods
  • can often bypass security controls
  • may persist across sessions
  • can often pivot to gain OS-level access.

All users running an affected release should apply the workaround or upgrade immediately.

Details

Module Info

  • Product: Ruby on Rails Framework
  • Affected packages: activestorage
  • GitHub repository:
    https://github.com/rails/rails
  • Published package: The individual activestorage gem or the entire Rails Framework gem (which includes activestorage).
  • Package manager: gem

Vulnerability Info

When untrusted user input is passed as the transformation method or transformation arguments, it may be possible to execute code remotely.

Steps to Reproduce

Vulnerable code will look similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

Workarounds

If upgrading immediately is not possible, applications should implement a strict allow-list on accepted transformation methods or arguments, such as the following:

class TransformationsController < ApplicationController
  def apply
    method = params[:method]
    value = params[:value]

    # Define an allow-list of permitted methods
    allowed_methods = {
      "rotate" => :rotate,
      "scale" => :scale,
      "flip" => :flip
    }
end

Also consider implementing a strict Image Magick security policy (see https://imagemagick.org/script/security-policy.php).

Credits

  • Thanks to gquadros_ for reporting this and Zack Deveau of Shopify for writing the patches.

Mitigation

Users of affected versions of Ruby on Rails should follow one of the following mitigations:

  • Upgrade to a corrected version.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2013-0277
CVE-2019-5418
CVE-2019-5420
CVE-2020-8159
CVE-2020-8165
CVE-2022-21831
CVE-2022-30123
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2022-21831
PROJECT Affected
Ruby on Rails Framework
Versions Affected
7.0.0.0 - <= 7.0.2.2 6.1.0.0 - <= 6.1.4.6 6.0.0.0 - <= 6.0.4.6 5.2.0.0 - <= 5.2.6.2
Published date
May 26, 2022
≈ Fix date
May 26, 2022
Fixed in
Ruby on Rails NES
Severity
Critical
Category
Remote Code Execution