RubySec

Providing security resources for the Ruby community

CVE-2020-8159 (actionpack-page_caching): Arbitrary file write/potential remote code execution in actionpack-page_caching

ADVISORIES

GEM

actionpack-page_caching

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

  • >= 1.2.1

DESCRIPTION

There is a vulnerability in the actionpack-page_caching gem that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.

Versions Affected: All versions of actionpack-page_caching (part of Rails prior to Rails 4.0) Not affected: Applications not using actionpack-page_caching Fixed Versions: actionpack-page_caching >= 1.2.1

Impact

The Action Pack Page Caching gem writes cache files to the file system in order for the front end webserver (nginx, Apache, etc) to serve the cached file without making a request to the application server. Paths contain what is effectively user input can be used to manipulate the location of the cache file.

For example "/users/123" could be changed to "/users/../../../foo" and this will escape the cache directory. Attackers can use this technique to springboard to an RCE if they can write arbitrary ERb to a view folder.

Impacted code looks like this:

class BooksController < ApplicationController
  caches_page :show
end

Where the show action of the BooksController may be vulnerable.