actionpack-page_caching 1.0.1
Arbitrary file write/potential remote code execution in actionpack-page_caching
critical severity CVE-2020-8159>= 1.2.1
There is a vulnerability in the actionpack-page_caching gem that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.
Versions Affected: All versions of actionpack-page_caching (part of Rails prior to Rails 4.0) Not affected: Applications not using actionpack-page_caching Fixed Versions: actionpack-page_caching >= 1.2.1
Impact
The Action Pack Page Caching gem writes cache files to the file system in order for the front end webserver (nginx, Apache, etc) to serve the cached file without making a request to the application server. Paths contain what is effectively user input can be used to manipulate the location of the cache file.
For example "/users/123" could be changed to "/users/../../../foo" and this will escape the cache directory. Attackers can use this technique to springboard to an RCE if they can write arbitrary ERb to a view folder.
Impacted code looks like this:
class BooksController < ApplicationController
caches_page :show
end
Where the show action of the BooksController may be vulnerable.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a MIT license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.