There is a possible escalation to RCE when using YAML serialized columns in Active Record. This vulnerability has been assigned the CVE identifier CVE-2022-32224. Versions Affected: All. Not affected: None Fixed Versions: 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1 Impact When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. Impacted Active Record models will look something like this: class User < ApplicationRecord serialize :options # Vulnerable: Uses YAML for serialization serialize :values, Array # Vulnerable: Uses YAML for serialization serialize :values, JSON # Not vulnerable end All users running an affected release should either upgrade or use one of the workarounds immediately. Releases The FIXED releases are available at the normal locations. The released versions change the default YAML deserializer to use YAML.safe_load, which prevents deserialization of possibly dangerous objects. This may introduce backwards compatibility issues with existing data.
Fixed versions 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1 have been added.
Thanks! Please stable when ready.
Please cleanup
Cleanup done.
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=baf2a2656614d72a2cbf870f339d286bb182952b commit baf2a2656614d72a2cbf870f339d286bb182952b Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-11 05:35:49 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-11 05:36:01 +0000 [ GLSA 202408-24 ] Ruby on Rails: Remote Code Execution Bug: https://bugs.gentoo.org/857840 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-24.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+)