The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.
github.com/advisories/GHSA-w749-p3v6-hccq
github.com/rails/rails
github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e
github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2022-21831.yml
groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI
lists.debian.org/debian-lts-announce/2022/09/msg00002.html
nvd.nist.gov/vuln/detail/CVE-2022-21831
rubysec.com/advisories/CVE-2022-21831
security.netapp.com/advisory/ntap-20221118-0001
www.debian.org/security/2023/dsa-5372