[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage

There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability has been assigned the CVE identifier CVE-2022-21831.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3

Impact

There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability impacts applications that use Active Storage with the image_processing processing in addition to the mini_magick back end for image_processing.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict image magick security policy will help mitigate this issue.

ImageMagick – Security Policy

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 5-2-active-storage-code-injection.patch - Patch for 5.2 series
  • 6-0-active-storage-code-injection.patch - Patch for 6.0 series
  • 6-1-active-storage-code-injection.patch - Patch for 6.1 series
  • 7-0-active-storage-code-injection.patch - Patch for 7.0 series

Please note that only the 7.0.Z, 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks to @gquadros_ for reporting this and Zack Deveau of Shopify for writing the patches

5-2-active-storage-code-injection.patch (16.2 KB) 6-0-active-storage-code-injection.patch (19.0 KB) 6-1-active-storage-code-injection.patch (17.9 KB) 7-0-active-storage-code-injection.patch (17.9 KB)

3 Likes