Lucene search

K

GoogleOSV:GHSA-3HHC-QP5V-9P2J

HistoryJul 12, 2022 - 7:39 p.m.

Active Record RCE bug with Serialized Columns

2022-07-1219:39:47

Google

osv.dev

42

active record

rce

serialized columns

yaml

sql injection

json

rails security

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

50.1%

When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.

There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.

References

discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017

github.com/advisories/GHSA-3hhc-qp5v-9p2j

github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a

github.com/rails/rails/commits/main/activerecord

github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-32224.yml

groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U

nvd.nist.gov/vuln/detail/CVE-2022-32224

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

50.1%

Related for OSV:GHSA-3HHC-QP5V-9P2J

cve1 github1 ubuntucve1 gitlab2 veracode1 prion1 debiancve1 nvd1 redhatcve1 debian2 nessus6 cvelist1 osv1 githubexploit1 rubygems1 redhat3 openvas1 rocky1