CVSS v3.x: 9.8 (Critical)
- < 5.2.0
- ~> 5.2.6, >= 18.104.22.168
- ~> 6.0.4, >= 22.214.171.124
- ~> 6.1.4, >= 126.96.36.199
- >= 188.8.131.52
There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability has been assigned the CVE identifier CVE-2022-21831.
Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability impacts applications that use Active Storage with the image_processing processing in addition to the mini_magick back end for image_processing.
Vulnerable code will look something similar to this:
<%= image_tag blob.variant(params[:t] => params[:v]) %>
Where the transformation method or its arguments are untrusted arbitrary input.
All users running an affected release should either upgrade or use one of the workarounds immediately.
To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict image magick security policy will help mitigate this issue.