Debian update for rails

Published: 2020-09-25

Risk	High
Patch available	YES
Number of vulnerabilities	6
CVE-ID	CVE-2020-8162 CVE-2020-8164 CVE-2020-8165 CVE-2020-8166 CVE-2020-8167 CVE-2020-15169
CWE-ID	CWE-20 CWE-200 CWE-502 CWE-352 CWE-79
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available.
Vulnerable software Subscribe	rails (Debian package) Operating systems & Components / Operating system package or component
Vendor	Debian

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU28240

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-8162

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in ActiveStorage's S3 adapter. A remote attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server and perform a denial of service (DoS) attack.

Mitigation

Update rails package to version 2:5.2.2.1+dfsg-1+deb10u2.

Vulnerable software versions

rails (Debian package): 5.2.2.1+dfsg-1+deb10u1

CPE2.3

cpe:2.3:o:debian:rails:5.2.2.1+dfsg-1+deb10u1:*:*:*:*:debian_linux:*:*

External links

http://www.debian.org/security/2020/dsa-4766

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Information disclosure

EUVDB-ID: #VU28243

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-8164

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the return value of "each", or "each_value", or "each_pair" will return the underlying "untrusted" hash of data that was read from the parameters. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Update rails package to version 2:5.2.2.1+dfsg-1+deb10u2.

Vulnerable software versions

rails (Debian package): 5.2.2.1+dfsg-1+deb10u1

CPE2.3

cpe:2.3:o:debian:rails:5.2.2.1+dfsg-1+deb10u1:*:*:*:*:debian_linux:*:*

External links

http://www.debian.org/security/2020/dsa-4766

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Deserialization of Untrusted Data

EUVDB-ID: #VU28239

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-8165

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in the "MemCacheStore" and "RedisCacheStore". A remote attacker can pass specially crafted data to the application using the "raw: true" parameter and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update rails package to version 2:5.2.2.1+dfsg-1+deb10u2.

Vulnerable software versions

rails (Debian package): 5.2.2.1+dfsg-1+deb10u1

CPE2.3

cpe:2.3:o:debian:rails:5.2.2.1+dfsg-1+deb10u1:*:*:*:*:debian_linux:*:*

External links

http://www.debian.org/security/2020/dsa-4766

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Cross-site request forgery

EUVDB-ID: #VU28244

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-8166

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the "authenticity_token" meta tag. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Update rails package to version 2:5.2.2.1+dfsg-1+deb10u2.

Vulnerable software versions

rails (Debian package): 5.2.2.1+dfsg-1+deb10u1

CPE2.3

cpe:2.3:o:debian:rails:5.2.2.1+dfsg-1+deb10u1:*:*:*:*:debian_linux:*:*

External links

http://www.debian.org/security/2020/dsa-4766

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Cross-site request forgery

EUVDB-ID: #VU28241

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-8167

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

This is a regression of CVE-2015-1840.

Mitigation

Update rails package to version 2:5.2.2.1+dfsg-1+deb10u2.

Vulnerable software versions

rails (Debian package): 5.2.2.1+dfsg-1+deb10u1

CPE2.3

cpe:2.3:o:debian:rails:5.2.2.1+dfsg-1+deb10u1:*:*:*:*:debian_linux:*:*

External links

http://www.debian.org/security/2020/dsa-4766

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Cross-site scripting

EUVDB-ID: #VU46724

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-15169

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Action View's translation helpers. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update rails package to version 2:5.2.2.1+dfsg-1+deb10u2.

Vulnerable software versions

rails (Debian package): 5.2.2.1+dfsg-1+deb10u1

CPE2.3

cpe:2.3:o:debian:rails:5.2.2.1+dfsg-1+deb10u1:*:*:*:*:debian_linux:*:*

External links

http://www.debian.org/security/2020/dsa-4766

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?