Bug 1172177 – VUL-0: CVE-2020-8164: rubygem-actionpack-2,rubygem-actionpack-5_1,rubygem-actionpack-5.2: Possible Strong Parameters Bypass leading to untrusted user input

Bug 1172177 - (CVE-2020-8164) VUL-0: CVE-2020-8164: rubygem-actionpack-2,rubygem-actionpack-5_1,rubygem-actionpack-5.2: Possible Strong Parameters Bypass leading to untrusted user input

(CVE-2020-8164)
Summary:	VUL-0: CVE-2020-8164: rubygem-actionpack-2,rubygem-actionpack-5_1,rubygem-act...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/260130/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-8164:7.5:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-05-27 12:47 UTC by Alexandros Toptsoglou
Modified:	2021-05-18 09:21 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patch v5.2 (1.65 KB, patch) 2020-05-27 12:51 UTC, Alexandros Toptsoglou	Details \| Diff
patch v6.0 (2.00 KB, patch) 2020-05-27 12:52 UTC, Alexandros Toptsoglou	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2020-05-27 12:47:49 UTC

Possible Strong Parameters Bypass in ActionPack

There is a strong parameters bypass vector in ActionPack. This vulnerability has been
assigned the CVE identifier CVE-2020-8164.

Versions Affected:  rails <= 6.0.3
Not affected:       rails < 4.0.0
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters.  Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters.  Applications that use this return value may be
inadvertently use untrusted user input.

Impacted code will look something like this:

```
def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end
```

Note the mistaken use of `each` in the `clean_up_params` method in the above
example.

Releases
--------
The 5.2.4.3 and 6.0.3.1 releases are available at the normal locations.

Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 5-2-strong-params.patch - Patch for 5.2 series
* 6-0-strong-params.patch - Patch for 6.0 series

Please note that only the 6.0 and 5.2 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

Credits
-------

Thanks to Achilleas (@abuisman) for reporting this issue via our HackerOne bug bounty program

Comment 1 Alexandros Toptsoglou 2020-05-27 12:51:34 UTC

Created attachment 838248 [details]
patch v5.2

Comment 2 Alexandros Toptsoglou 2020-05-27 12:52:19 UTC

Created attachment 838249 [details]
patch v6.0

Comment 3 Alexandros Toptsoglou 2020-05-27 12:52:52 UTC

Reference
https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Comment 6 Alexandros Toptsoglou 2020-07-30 15:00:52 UTC

Tracked as affected rubygem-actionpack-5_1 in SLE15 and rubygem-actionpack-5.2 (CC Manuel for this) in Leap 15.1,15.2 and Factory

Comment 8 Swamp Workflow Management 2020-09-22 19:22:12 UTC

SUSE-SU-2020:2710-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1172177
CVE References: CVE-2020-8164
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP2 (src):    rubygem-actionpack-5_1-5.1.4-3.6.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    rubygem-actionpack-5_1-5.1.4-3.6.1
SUSE Linux Enterprise High Availability 15 (src):    rubygem-actionpack-5_1-5.1.4-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2020-09-25 22:17:52 UTC

openSUSE-SU-2020:1533-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1172177
CVE References: CVE-2020-8164
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    rubygem-actionpack-5_1-5.1.4-lp151.4.3.1

Comment 10 Swamp Workflow Management 2020-09-26 10:13:53 UTC

openSUSE-SU-2020:1536-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1172177
CVE References: CVE-2020-8164
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    rubygem-actionpack-5_1-5.1.4-lp152.5.3.1

Comment 11 Swamp Workflow Management 2020-09-29 13:20:08 UTC

openSUSE-SU-2020:1575-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1172177
CVE References: CVE-2020-8164
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    rubygem-actionpack-5_1-5.1.4-bp151.2.3.1

Comment 13 Swamp Workflow Management 2020-10-26 14:21:46 UTC

SUSE-SU-2020:3036-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    rmt-server-2.6.5-3.3.1
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    rmt-server-2.6.5-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2020-11-04 14:17:03 UTC

SUSE-SU-2020:3147-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    rmt-server-2.6.5-3.34.1
SUSE Linux Enterprise Server 15-LTSS (src):    rmt-server-2.6.5-3.34.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    rmt-server-2.6.5-3.34.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    rmt-server-2.6.5-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2020-11-05 14:21:44 UTC

SUSE-SU-2020:3160-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    rmt-server-2.6.5-3.18.1
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    rmt-server-2.6.5-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2020-11-21 17:16:51 UTC

openSUSE-SU-2020:1993-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    rmt-server-2.6.5-lp152.2.3.1

Comment 18 Swamp Workflow Management 2020-11-23 14:23:22 UTC

openSUSE-SU-2020:2000-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    rmt-server-2.6.5-lp151.2.18.2

Comment 19 Wolfgang Frisch 2020-12-09 16:29:21 UTC

Released.

Comment 20 OBSbugzilla Bot 2021-05-18 09:21:33 UTC

This is an autogenerated message for OBS integration:
This bug (1172177) was mentioned in
https://build.opensuse.org/request/show/893979 Factory / rmt-server