actionpack 4.2.1.rc2

13 security vulnerabilities found in version 4.2.1.rc2

Possible DoS Vulnerability in Action Controller Token Authentication

high severity CVE-2021-22904
high severity CVE-2021-22904
Patched versions: ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2
Unaffected versions: < 4.0.0

There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2021-22904.

Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication. Impacted code will look something like this:

class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end

Possible Information Disclosure / Unintended Method Execution in Action Pack

high severity CVE-2021-22885
high severity CVE-2021-22885
Patched versions: ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2
Unaffected versions: < 2.0.0

There is a possible information disclosure / unintended method execution vulnerability in Action Pack which has been assigned the CVE identifier CVE-2021-22885.

Versions Affected: >= 2.0.0. Not affected: < 2.0.0. Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the redirect_to or polymorphic_url helper with untrusted user input.

Vulnerable code will look like this:

redirect_to(params[:some_param])

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example:

private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end

def index
  redirect_to(check(params[:some_param]))
end

Or force the user input to be cast to a string like this:

def index
  redirect_to(params[:some_param].to_s)
end

Possible Strong Parameters Bypass in ActionPack

high severity CVE-2020-8164
high severity CVE-2020-8164
Patched versions: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
Unaffected versions: < 4.0.0

There is a strong parameters bypass vector in ActionPack.

Versions Affected: rails <= 6.0.3 Not affected: rails < 4.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.

Impacted code will look something like this:

def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end

Note the mistaken use of each in the clean_up_params method in the above example.

Workarounds

Do not use the return values of each, each_value, or each_pair in your application.

Possible remote code execution vulnerability in Action Pack

high severity CVE-2016-2098
high severity CVE-2016-2098
Patched versions: ~> 3.2.22.2, ~> 4.2.5, >= 4.2.5.2, ~> 4.1.14, >= 4.1.14.2
Unaffected versions: >= 5.0.0.beta1

There is a possible remote code execution vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-2098.

Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x Not affected: 5.0+ Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2

Impact

Applications that pass unverified user input to the render method in a controller or a view may be vulnerable to a code injection.

Impacted code will look like this:

class TestController < ApplicationController
  def show
    render params[:id]
  end
end

An attacker could use the request parameters to coerce the above example to execute arbitrary ruby code.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method.

For example, change this:

def index
  render params[:id]
end

To this:

def index
  render verify_template(params[:id])
end

private
def verify_template(name)
  # add verification logic particular to your application here
end

Patches

To aid users who aren't able to upgrade immediately we have provided a patch for it. It is in git-am format and consist of a single changeset.

  • 3-2-secure_inline_with_params.patch - Patch for 3.2 series
  • 4-1-secure_inline_with_params.patch - Patch for 4.1 series
  • 4-2-secure_inline_with_params.patch - Patch for 4.2 series

Credits

Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for reporting this!

Possible Object Leak and Denial of Service attack in Action Pack

high severity CVE-2016-0751
high severity CVE-2016-0751
Patched versions: >= 5.0.0.beta1.1, ~> 4.2.5, >= 4.2.5.1, ~> 4.1.14, >= 4.1.14.1, ~> 3.2.22.1

There is a possible object leak which can lead to a denial of service vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-0751.

Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact

A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

This attack can be mitigated by a proxy that only allows known mime types in the Accept header.

Placing the following code in an initializer will also mitigate the issue:

require 'action_dispatch/http/mime_type'

Mime.const_set :LOOKUP, Hash.new { |h,k|
  Mime::Type.new(k) unless k.blank?
}

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 5-0-mime_types_leak.patch - Patch for 5.0 series
  • 4-2-mime_types_leak.patch - Patch for 4.2 series
  • 4-1-mime_types_leak.patch - Patch for 4.1 series
  • 3-2-mime_types_leak.patch - Patch for 3.2 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Aaron Patterson <3<3

Object leak vulnerability for wildcard controller routes in Action Pack

high severity CVE-2015-7581
high severity CVE-2015-7581
Patched versions: ~> 4.2.5, >= 4.2.5.1, ~> 4.1.14, >= 4.1.14.1
Unaffected versions: < 4.0.0, >= 5.0.0.beta1

There is an object leak vulnerability for wildcard controllers in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2015-7581.

Versions Affected: >= 4.0.0 and < 5.0.0.beta1 Not affected: < 4.0.0, 5.0.0.beta1 and newer Fixed Versions: 4.2.5.1, 4.1.14.1

Impact

Users that have a route that contains the string ":controller" are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain ":controller".

Internally, Action Pack keeps a map of "url controller name" to "controller class name". This map is cached globally, and is populated even if the controller class doesn't actually exist.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 4-1-wildcard_route.patch - Patch for 4.1 series
  • 4-2-wildcard_route.patch - Patch for 4.2 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

medium severity CVE-2024-47887
medium severity CVE-2024-47887
Patched versions: ~> 6.1.7.9, ~> 7.0.8.5, ~> 7.1.4, >= 7.1.4.1, >= 7.2.1.1
Unaffected versions: < 4.0.0

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

medium severity CVE-2024-41128
medium severity CVE-2024-41128
Patched versions: ~> 6.1.7.9, ~> 7.0.8.5, ~> 7.1.4, >= 7.1.4.1, >= 7.2.1.1
Unaffected versions: < 3.1.0

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

Possible XSS via User Supplied Values to redirect_to

medium severity CVE-2023-28362
medium severity CVE-2023-28362
Patched versions: ~> 6.1.7.4, >= 7.0.5.1

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

Impact

This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).

Releases

The FIXED releases are available at the normal locations.

Workarounds

Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.

Ability to forge per-form CSRF tokens given a global CSRF token

medium severity CVE-2020-8166
medium severity CVE-2020-8166
Patched versions: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

It is possible to possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications without existing HTML injection vulnerabilities. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.

Timing attack vulnerability in basic authentication in Action Controller.

medium severity CVE-2015-7576
medium severity CVE-2015-7576
Patched versions: >= 5.0.0.beta1.1, ~> 4.2.5, >= 4.2.5.1, ~> 4.1.14, >= 4.1.14.1, ~> 3.2.22.1

There is a timing attack vulnerability in the basic authentication support in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2015-7576.

Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact

Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password.

For example, this string comparison:

"foo" == "bar"

is possibly faster than this comparison:

"foo" == "fo1"

Attackers can use this information to attempt to guess the username and password used in the basic authentication system.

You can tell you application is vulnerable to this attack by looking for http_basic_authenticate_with method calls in your application.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

If you can't upgrade, please use the following monkey patch in an initializer that is loaded before your application:

$ cat config/initializers/basic_auth_fix.rb
module ActiveSupport
  module SecurityUtils
    def secure_compare(a, b)
      return false unless a.bytesize == b.bytesize

      l = a.unpack "C#{a.bytesize}"

      res = 0
      b.each_byte { |byte| res |= byte ^ l.shift }
      res == 0
    end
    module_function :secure_compare

    def variable_size_secure_compare(a, b)
      secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
    end
    module_function :variable_size_secure_compare
  end
end

module ActionController
  class Base
    def self.http_basic_authenticate_with(options = {})
      before_action(options.except(:name, :password, :realm)) do
        authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
          # This comparison uses & so that it doesn't short circuit and
          # uses `variable_size_secure_compare` so that length information
          # isn't leaked.
          ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
            ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
        end
      end
    end
  end
end

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 4-1-basic_auth.patch - Patch for 4.1 series
  • 4-2-basic_auth.patch - Patch for 4.2 series
  • 5-0-basic_auth.patch - Patch for 5.0 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thank you to Daniel Waterworth for reporting the problem and working with us to fix it.

ReDoS based DoS vulnerability in Action Dispatch

low severity CVE-2023-22795
low severity CVE-2023-22795
Patched versions: ~> 5.2.8, >= 5.2.8.15, ~> 6.1.7, >= 6.1.7.1, >= 7.0.4.1

There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.

Users on Ruby 3.2.0 or greater are not affected by this vulnerability.

ReDoS based DoS vulnerability in Action Dispatch

low severity CVE-2023-22792
low severity CVE-2023-22792
Patched versions: ~> 5.2.8, >= 5.2.8.15, ~> 6.1.7, >= 6.1.7.1, >= 7.0.4.1
Unaffected versions: < 3.0.0

There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.

Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious X_FORWARDED_HOST headers before they reach the application.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.