GHSA-w749-p3v6-hccq

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-w749-p3v6-hccq/GHSA-w749-p3v6-hccq.json
Aliases
  • CVE-2022-21831
Published
2022-03-08T21:25:54Z
Modified
2022-06-21T16:18:03.112261Z
Details

The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.

References

Affected packages

RubyGems / activestorage

activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
5.2.6.3

Affected versions

5.*

5.2.0
5.2.1
5.2.1.1
5.2.1.rc1
5.2.2
5.2.2.1
5.2.2.rc1
5.2.3
5.2.3.rc1
5.2.4
5.2.4.1
5.2.4.2
5.2.4.3
5.2.4.4
5.2.4.5
5.2.4.6
5.2.4.rc1
5.2.5
5.2.6
5.2.6.1
5.2.6.2

Database specific

{
    "last_known_affected_version_range": "<= 5.2.6.2"
}

RubyGems / activestorage

activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.4.7

Affected versions

6.*

6.0.0
6.0.1
6.0.1.rc1
6.0.2
6.0.2.1
6.0.2.2
6.0.2.rc1
6.0.2.rc2
6.0.3
6.0.3.1
6.0.3.2
6.0.3.3
6.0.3.4
6.0.3.5
6.0.3.6
6.0.3.7
6.0.3.rc1
6.0.4
6.0.4.1
6.0.4.2
6.0.4.3
6.0.4.4
6.0.4.5
6.0.4.6

Database specific

{
    "last_known_affected_version_range": "<= 6.0.4.6"
}

RubyGems / activestorage

activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.4.7

Affected versions

6.*

6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.3
6.1.3.1
6.1.3.2
6.1.4
6.1.4.1
6.1.4.2
6.1.4.3
6.1.4.4
6.1.4.5
6.1.4.6

Database specific

{
    "last_known_affected_version_range": "<= 6.1.4.6"
}

RubyGems / activestorage

activestorage

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.2.3

Affected versions

7.*

7.0.0
7.0.1
7.0.2
7.0.2.1
7.0.2.2

Database specific

{
    "last_known_affected_version_range": "<= 7.0.2.2"
}