Bugzilla – Bug 1172177
VUL-0: CVE-2020-8164: rubygem-actionpack-2,rubygem-actionpack-5_1,rubygem-actionpack-5.2: Possible Strong Parameters Bypass leading to untrusted user input
Last modified: 2021-05-18 09:21:33 UTC
Possible Strong Parameters Bypass in ActionPack There is a strong parameters bypass vector in ActionPack. This vulnerability has been assigned the CVE identifier CVE-2020-8164. Versions Affected: rails <= 6.0.3 Not affected: rails < 4.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: ``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end ``` Note the mistaken use of `each` in the `clean_up_params` method in the above example. Releases -------- The 5.2.4.3 and 6.0.3.1 releases are available at the normal locations. Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-strong-params.patch - Patch for 5.2 series * 6-0-strong-params.patch - Patch for 6.0 series Please note that only the 6.0 and 5.2 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Achilleas (@abuisman) for reporting this issue via our HackerOne bug bounty program
Created attachment 838248 [details] patch v5.2
Created attachment 838249 [details] patch v6.0
Reference https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Tracked as affected rubygem-actionpack-5_1 in SLE15 and rubygem-actionpack-5.2 (CC Manuel for this) in Leap 15.1,15.2 and Factory
SUSE-SU-2020:2710-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172177 CVE References: CVE-2020-8164 JIRA References: Sources used: SUSE Linux Enterprise High Availability 15-SP2 (src): rubygem-actionpack-5_1-5.1.4-3.6.1 SUSE Linux Enterprise High Availability 15-SP1 (src): rubygem-actionpack-5_1-5.1.4-3.6.1 SUSE Linux Enterprise High Availability 15 (src): rubygem-actionpack-5_1-5.1.4-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1533-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172177 CVE References: CVE-2020-8164 JIRA References: Sources used: openSUSE Leap 15.1 (src): rubygem-actionpack-5_1-5.1.4-lp151.4.3.1
openSUSE-SU-2020:1536-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172177 CVE References: CVE-2020-8164 JIRA References: Sources used: openSUSE Leap 15.2 (src): rubygem-actionpack-5_1-5.1.4-lp152.5.3.1
openSUSE-SU-2020:1575-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172177 CVE References: CVE-2020-8164 JIRA References: Sources used: openSUSE Backports SLE-15-SP1 (src): rubygem-actionpack-5_1-5.1.4-bp151.2.3.1
SUSE-SU-2020:3036-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): rmt-server-2.6.5-3.3.1 SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src): rmt-server-2.6.5-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3147-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): rmt-server-2.6.5-3.34.1 SUSE Linux Enterprise Server 15-LTSS (src): rmt-server-2.6.5-3.34.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): rmt-server-2.6.5-3.34.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): rmt-server-2.6.5-3.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3160-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): rmt-server-2.6.5-3.18.1 SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src): rmt-server-2.6.5-3.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1993-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: openSUSE Leap 15.2 (src): rmt-server-2.6.5-lp152.2.3.1
openSUSE-SU-2020:2000-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: openSUSE Leap 15.1 (src): rmt-server-2.6.5-lp151.2.18.2
Released.
This is an autogenerated message for OBS integration: This bug (1172177) was mentioned in https://build.opensuse.org/request/show/893979 Factory / rmt-server