activesupport 4.2.1.rc1

5 security vulnerabilities found in version 4.2.1.rc1

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

critical severity CVE-2020-8165
critical severity CVE-2020-8165
Patched versions: ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the raw: true parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

data = cache.fetch("demo", raw: true) { untrusted_string }

Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum, this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes, detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using the raw argument should be double-checked to ensure that they conform to the expected format.

Possible XSS Security Vulnerability in SafeBuffer#bytesplice

medium severity CVE-2023-28120
medium severity CVE-2023-28120
Patched versions: ~> 6.1.7, >= 6.1.7.3, >= 7.0.4.3

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

Possible Denial of Service attack in Active Support

medium severity CVE-2015-3227
medium severity CVE-2015-3227
Patched versions: >= 4.2.2, ~> 4.1.11, ~> 3.2.22

Specially crafted XML documents can cause applications to raise a SystemStackError and potentially cause a denial of service attack. This only impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workarounds

Use an XML parser that is not impacted by this problem, such as Nokogiri or LibXML. You can change the processor like this:

ActiveSupport::XmlMini.backend = 'Nokogiri'

If you cannot change XML parsers, then adjust RUBY_THREAD_MACHINE_STACK_SIZE.

XSS Vulnerability in ActiveSupport::JSON.encode

medium severity CVE-2015-3226
medium severity CVE-2015-3226
Patched versions: >= 4.2.2, ~> 4.1.11
Unaffected versions: < 4.1.0

When a Hash containing user-controlled data is encode as JSON (either through Hash#to_json or ActiveSupport::JSON.encode), Rails does not perform adequate escaping that matches the guarantee implied by the escape_html_entities_in_json option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

For example, the following code snippet is vulnerable to this attack:

<%= javascript_tag "var data = #{user_supplied_data.to_json};" %>

Similarly, the following is also vulnerable:

<script>
  var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
</script>

All applications that renders JSON-encoded strings that contains user-controlled data in their views should either upgrade to one of the FIXED versions or use the suggested workaround immediately.

Workarounds

To work around this problem add an initializer with the following code:

module ActiveSupport module JSON module Encoding private class EscapedString def to_s self end end end end end

ReDoS based DoS vulnerability in Active Support’s underscore

low severity CVE-2023-22796
low severity CVE-2023-22796
Patched versions: ~> 5.2.8, >= 5.2.8.15, ~> 6.1.7, >= 6.1.7.1, >= 7.0.4.1

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.