In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end Note the mistaken use of each in the clean_up_params method in the above example.
CVE-2020-8164 - High Severity Vulnerability
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-5.2.4.2.gem
Path to dependency file: /tmp/ws-scm/chaltron/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/actionpack-5.2.4.2.gem
Dependency Hierarchy: - coffee-rails-4.2.2.gem (Root Library) - railties-5.2.4.2.gem - :x: **actionpack-5.2.4.2.gem** (Vulnerable Library)
Found in HEAD commit: 1b50f621103349895a1a437eea1f48393a237a04
In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end Note the mistaken use of each in the clean_up_params method in the above example.
Publish Date: 2020-05-31
URL: CVE-2020-8164
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-8727-m6gj-mc37
Release Date: 2020-05-31
Fix Resolution: 5.2.4.3,6.0.3.1
Step up your Open Source Security Game with WhiteSource here