CVSS v3: 9.8 (Critical)
- >= 1.2.1
There is a vulnerability in the actionpack-page_caching gem that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.
Versions Affected: All versions of actionpack-page_caching (part of Rails prior to Rails 4.0) Not affected: Applications not using actionpack-page_caching Fixed Versions: actionpack-page_caching >= 1.2.1
The Action Pack Page Caching gem writes cache files to the file system in order for the front end webserver (nginx, Apache, etc) to serve the cached file without making a request to the application server. Paths contain what is effectively user input can be used to manipulate the location of the cache file.
For example “/users/123” could be changed to “/users/../../../foo” and this will escape the cache directory. Attackers can use this technique to springboard to an RCE if they can write arbitrary ERb to a view folder.
Impacted code looks like this:
class BooksController < ApplicationController caches_page :show end
show action of the
BooksController may be vulnerable.