CVE-2022-30123

Remote Code Execution
Affects
Ruby on Rails Framework
2.2.0.0 - <=2.2.3.0 2.1.0.0 - <=2.1.4.0 2.0.0.0 - <=2.0.9.0
in
Rails
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Ruby on Rails (often called Rails) is a web application framework written in Ruby that emphasizes convention over configuration and the principle of "don't repeat yourself" (DRY). It provides developers with a structured and efficient way to build database-backed web applications through pre-built patterns for rapid development. 

Some versions of Rails may allow remote code execution via carefully crafted requests that execute within the terminal when the Lint and CommonLogger gems are used.

Remote code execution flaws are among the Top 10 Open Web Application Security Project (OWASP) vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected, remotely executed code:

  • can access internal application objects/methods
  • can often bypass security controls
  • may persist across sessions
  • can often pivot to gain OS-level access.

All users running an affected release should upgrade immediately.

Details

Module Info

  • Product: Ruby on Rails Framework
  • Affected packages: rack
  • GitHub repository:
    https://github.com/rails/rails
  • Published package: The individual rack gem or the entire Rails Framework gem (which includes rack).
  • Package manager: gem

Vulnerability Info

A malicious user can craft a request that causes shell escape sequences to be written to the terminal when using the Lint and CommonLogger gems that are part of rack. If malicious sequences get access to the terminal by way of the logger, the danger is that the escape sequences can be leveraged to execute commands in the terminal.

Steps to Reproduce

1. Set up a vulnerable version of Rails with Lint and CommonLogger.

2. Make a request similar to the one below:

GET / HTTP/1.1
Host: example.com
User-Agent: \e[31mMaliciousInput\e[0m\e]2;malicious_command\a

3. The \e[31 sets the text color to red, the \e[0m resets the color and \e]2;malicious_command\a sets the title of the terminal. 

4. The exploit takes advantage of the logger executing the “malicious_command” without sanitizing it first.

Workarounds

There are no known workarounds (other than removing these gems from your application).

Credits

Mitigation

Users of affected versions of Ruby on Rails should follow one of the following mitigations:

  • Upgrade to a corrected version.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2022-30123
PROJECT Affected
Ruby on Rails Framework
Versions Affected
2.2.0.0 - <=2.2.3.0 2.1.0.0 - <=2.1.4.0 2.0.0.0 - <=2.0.9.0
Published date
December 5, 2022
≈ Fix date
December 5, 2022
Severity
Critical
Category
Remote Code Execution