There is a possible escalation to RCE when using YAML serialized columns in Active Record. This vulnerability has been assigned the CVE identifier CVE-2022-32224. Versions Affected: All. Not affected: None Fixed Versions: 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1 Impact When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. Impacted Active Record models will look something like this: class User < ApplicationRecord serialize :options # Vulnerable: Uses YAML for serialization serialize :values, Array # Vulnerable: Uses YAML for serialization serialize :values, JSON # Not vulnerable end All users running an affected release should either upgrade or use one of the workarounds immediately. Releases The FIXED releases are available at the normal locations. The released versions change the default YAML deserializer to use YAML.safe_load, which prevents deserialization of possibly dangerous objects. This may introduce backwards compatibility issues with existing data.
Fixed versions 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1 have been added.
Thanks! Please stable when ready.
Please cleanup
Cleanup done.
Thanks!
