GHSA-8727-m6gj-mc37
- Source
- https://github.com/advisories/GHSA-8727-m6gj-mc37
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-8727-m6gj-mc37/GHSA-8727-m6gj-mc37.json
- Aliases
- Published
- 2020-05-26T15:09:16Z
- Modified
- 2024-02-16T08:12:29.475793Z
- Summary
- Possible Strong Parameters Bypass in ActionPack
- Details
-
There is a strong parameters bypass vector in ActionPack.
Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of
each, oreach_value, oreach_pairwill return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.Impacted code will look something like this:
def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } endNote the mistaken use of
eachin theclean_up_paramsmethod in the above example.Workarounds
Do not use the return values of
each,each_value, oreach_pairin your application. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-8164
- https://hackerone.com/reports/292797
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
- https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
- https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
- https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
- https://www.debian.org/security/2020/dsa-4766
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
Affected packages
RubyGems / actionpack
Package
- Name
- actionpack
Affected versions
5.*
5.0.0
5.0.0.1
5.0.1.rc1
5.0.1.rc2
5.0.1
5.0.2.rc1
5.0.2
5.0.3
5.0.4.rc1
5.0.4
5.0.5.rc1
5.0.5.rc2
5.0.5
5.0.6.rc1
5.0.6
5.0.7
5.0.7.1
5.0.7.2
5.1.0.beta1
5.1.0.rc1
5.1.0.rc2
5.1.0
5.1.1
5.1.2.rc1
5.1.2
5.1.3.rc1
5.1.3.rc2
5.1.3.rc3
5.1.3
5.1.4.rc1
5.1.4
5.1.5.rc1
5.1.5
5.1.6
5.1.6.1
5.1.6.2
5.1.7.rc1
5.1.7
5.2.0.beta1
5.2.0.beta2
5.2.0.rc1
5.2.0.rc2
5.2.0
5.2.1.rc1
5.2.1
5.2.1.1
5.2.2.rc1
5.2.2
5.2.2.1
5.2.3.rc1
5.2.3
5.2.4.rc1
5.2.4
5.2.4.1
5.2.4.2
RubyGems / actionpack
Package
- Name
- actionpack