-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2021-22885.yml
67 lines (57 loc) · 1.53 KB
/
CVE-2021-22885.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
gem: actionpack
framework: rails
cve: 2021-22885
ghsa: hjg4-8q5f-x6fm
url: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
title: Possible Information Disclosure / Unintended Method Execution in Action Pack
date: 2021-05-05
description: |
There is a possible information disclosure / unintended method execution
vulnerability in Action Pack which has been assigned the CVE identifier
CVE-2021-22885.
Versions Affected: >= 2.0.0.
Not affected: < 2.0.0.
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6
Impact
------
There is a possible information disclosure / unintended method execution
vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url`
helper with untrusted user input.
Vulnerable code will look like this:
```
redirect_to(params[:some_param])
```
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Workarounds
-----------
To work around this problem, it is recommended to use an allow list for valid
parameters passed from the user. For example:
```
private def check(param)
case param
when "valid"
param
else
"/"
end
end
def index
redirect_to(check(params[:some_param]))
end
```
Or force the user input to be cast to a string like this:
```
def index
redirect_to(params[:some_param].to_s)
end
```
cvss_v3: 7.5
unaffected_versions:
- "< 2.0.0"
patched_versions:
- "~> 5.2.4.6"
- "~> 5.2.6"
- "~> 6.0.3, >= 6.0.3.7"
- ">= 6.1.3.2"