RubySec

Providing security resources for the Ruby community

CVE-2022-21831 (activestorage): Possible code injection vulnerability in Rails / Active Storage

ADVISORIES

GEM

activestorage

FRAMEWORK

Ruby on Rails

UNAFFECTED VERSIONS

  • < 5.2.0

PATCHED VERSIONS

  • ~> 5.2.6, >= 5.2.6.3
  • ~> 6.0.4, >= 6.0.4.7
  • ~> 6.1.4, >= 6.1.4.7
  • >= 7.0.2.3

DESCRIPTION

There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability has been assigned the CVE identifier CVE-2022-21831.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3

Impact

There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability impacts applications that use Active Storage with the image_processing processing in addition to the mini_magick back end for image_processing.

Vulnerable code will look something similar to this:

&lt;%= image_tag blob.variant(params[:t] =&gt; params[:v]) %&gt;

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict image magick security policy will help mitigate this issue.

https://imagemagick.org/script/security-policy.php