actionpack-page_caching 1.0.0

1 security vulnerability found in version 1.0.0

Arbitrary file write/potential remote code execution in actionpack-page_caching

critical severity CVE-2020-8159
critical severity CVE-2020-8159
Patched versions: >= 1.2.1

There is a vulnerability in the actionpack-page_caching gem that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.

Versions Affected: All versions of actionpack-page_caching (part of Rails prior to Rails 4.0) Not affected: Applications not using actionpack-page_caching Fixed Versions: actionpack-page_caching >= 1.2.1

Impact

The Action Pack Page Caching gem writes cache files to the file system in order for the front end webserver (nginx, Apache, etc) to serve the cached file without making a request to the application server. Paths contain what is effectively user input can be used to manipulate the location of the cache file.

For example "/users/123" could be changed to "/users/../../../foo" and this will escape the cache directory. Attackers can use this technique to springboard to an RCE if they can write arbitrary ERb to a view folder.

Impacted code looks like this:

class BooksController < ApplicationController
  caches_page :show
end

Where the show action of the BooksController may be vulnerable.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Gem version without a license.


Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.


This gem version has not been yanked and is still available for usage.