activesupport 3.1.1.rc1

5 security vulnerabilities found in version 3.1.1.rc1

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

high severity CVE-2020-8165
high severity CVE-2020-8165
Patched versions: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the raw: true parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

data = cache.fetch("demo", raw: true) { untrusted_string }

Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum, this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes, detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using the raw argument should be double-checked to ensure that they conform to the expected format.

XML Parsing Vulnerability affecting JRuby users

high severity CVE-2013-1856
high severity CVE-2013-1856
Patched versions: ~> 3.1.12, >= 3.2.13
Unaffected versions: ~> 2.3.0

The ActiveSupport XML parsing functionality supports multiple pluggable backends. One backend supported for JRuby users is ActiveSupport::XmlMini_JDOM which makes use of the javax.xml.parsers.DocumentBuilder class. In some JVM configurations the default settings of that class can allow an attacker to construct XML which, when parsed, will contain the contents of arbitrary URLs including files from the application server. They may also allow for various denial of service attacks. Action Pack

Possible Denial of Service attack in Active Support

medium severity CVE-2015-3227
medium severity CVE-2015-3227
Patched versions: >= 4.2.2, ~> 4.1.11, ~> 3.2.22

Specially crafted XML documents can cause applications to raise a SystemStackError and potentially cause a denial of service attack. This only impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workarounds

Use an XML parser that is not impacted by this problem, such as Nokogiri or LibXML. You can change the processor like this:

ActiveSupport::XmlMini.backend = 'Nokogiri'

If you cannot change XML parsers, then adjust RUBY_THREAD_MACHINE_STACK_SIZE.

CVE-2012-3464 rubygem-actionpack: potential XSS vulnerability

medium severity CVE-2012-3464
medium severity CVE-2012-3464
Patched versions: ~> 3.0.17, ~> 3.1.8, >= 3.2.8

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.

CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe)

medium severity CVE-2012-1098
medium severity CVE-2012-1098
Patched versions: ~> 3.0.12, ~> 3.1.4, >= 3.2.2
Unaffected versions: < 3.0.0

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Gem version without a license.


Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.


This gem version has not been yanked and is still available for usage.