Code Injection Vulnerability in Active Storage by Rails
CVE-2022-21831

9.8CRITICAL

Key Information:

Vendor: Rubyonrails
Status: Https://github.com/rails/rails
Vendor: CVE Published:; 26 May 2022

🔔 Create Rubyonrails Vulnerability Alert

What is CVE-2022-21831?

A code injection vulnerability is present in Active Storage versions 5.2.0 and later. This flaw can be exploited if an attacker crafts malicious image_processing arguments, potentially leading to unauthorized code execution on the affected system. It highlights the importance of ensuring that user-input data is properly validated and sanitized to mitigate such risks.

Affected Version(s)

https://github.com/rails/rails 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3

References

https://github.com/advisories/GHSA-w749-p3v6-hccq

https://lists.debian.org/debian-lts-announce/2022/09/msg0...

mailing-list

https://security.netapp.com/advisory/ntap-20221118-0001/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2022
Vulnerability Reserved
Dec 10, 2021