RubySec

Providing security resources for the Ruby community

CVE-2021-22885 (actionpack): Possible Information Disclosure / Unintended Method Execution in Action Pack

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v3: 7.5 (High)

UNAFFECTED VERSIONS

  • < 2.0.0

PATCHED VERSIONS

  • ~> 5.2.4.6
  • ~> 5.2.6
  • ~> 6.0.3, >= 6.0.3.7
  • >= 6.1.3.2

DESCRIPTION

There is a possible information disclosure / unintended method execution vulnerability in Action Pack which has been assigned the CVE identifier CVE-2021-22885.

Versions Affected: >= 2.0.0. Not affected: < 2.0.0. Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the redirect_to or polymorphic_url helper with untrusted user input.

Vulnerable code will look like this:

redirect_to(params[:some_param])

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example:

private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end

def index
  redirect_to(check(params[:some_param]))
end

Or force the user input to be cast to a string like this:

def index
  redirect_to(params[:some_param].to_s)
end