Bug 1117641 - (CVE-2018-16477) VUL-1: CVE-2018-16477: rubygem-activestorage-5.2: Bypass vulnerability
(CVE-2018-16477)
VUL-1: CVE-2018-16477: rubygem-activestorage-5.2: Bypass vulnerability
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Manuel Schnitzer
E-mail List
https://smash.suse.de/issue/219822/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-28 12:08 UTC by Robert Frohl
Modified: 2018-11-28 23:12 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2018-11-28 12:08:50 UTC
[CVE-2018-16477] Bypass vulnerability in Active Storage

Versions Affected:  >= 5.2.0
Not affected:       < 5.2.0
Fixed Versions:     5.2.1.1

Impact
------
Signed download URLs generated by `ActiveStorage` for Google Cloud Storage
service and Disk service include `content-disposition` and `content-type`
parameters that an attacker can modify. This can be used to upload specially
crafted HTML files and have them served and executed inline. Combined with
other techniques such as cookie bombing and specially crafted AppCache
manifests,
an attacker can gain access to private signed URLs within a specific
storage path.

Vulnerable apps are those using either GCS or the Disk service in
production.
Other storage services such as S3 or Azure aren't affected.

All users running an affected release should either upgrade or use one of
the
workarounds immediately. For those using GCS, it's also recommended to run
the
following to update existing blobs:

```
ActiveStorage::Blob.find_each do |blob|
  blob.send :update_service_metadata
end
```

Releases
--------
The FIXED releases are available at the normal locations.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16477
http://seclists.org/oss-sec/2018/q4/188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16477