CVE-2022-21831 — Code Injection in Active Storage

CWE-94 — Code Injection8 documents7 sources

Severity

9.8CRITICALNVD

EPSS

1.4%

top 19.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Rubyonrails Active Storage Rails Activestorage +2 more

Timeline

PublishedMay 26

Latest updateSep 10

Description

A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶RubyGemsrails/activestorage5.2.0 — 5.2.6.3+3

▶NVDrubyonrails/active_storage5.2.0 — 5.2.6.3+3

▶Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u1+3

▶CVEListV5https/github.com_rails_rails7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

CVE-2022-21831: A code injection vulnerability exists in the Active Storage >= v5↗2022-05-26

▶

OSV

CVE-2022-21831: A code injection vulnerability exists in the Active Storage >= v5↗2022-05-26

▶

GHSA

Possible code injection vulnerability in Rails / Active Storage↗2022-03-08

▶

OSV

Possible code injection vulnerability in Rails / Active Storage↗2022-03-08

▶

📋Vendor Advisories

Red Hat

rubygem-activestorage: Code injection vulnerability in ActiveStorage↗2022-03-08

▶

Debian

CVE-2022-21831: rails - A code injection vulnerability exists in the Active Storage >= v5.2.0 that could...↗2022

▶

💬Community

HackerOne

CVE-2022-21831: Possible code injection vulnerability in Rails / Active Storage↗2022-09-10

▶