ALT-PU-2020-2321-1
Closed vulnerabilities
BDU:2021-01345
Уязвимость компонентов из mem_cache_store.rb и redis_cache_store.rb программной платформы Ruby on Rails, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
BDU:2021-01346
Уязвимость функции each_pair из strong_parameters.rb программной платформы Ruby on Rails, позволяющая нарушителю получить доступ к конфиденциальным данным
BDU:2022-06175
Уязвимость программной платформы Ruby on Rails, связанная с реализацией функций безопасности на стороне клиента, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2020-8162
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
Modified: 2024-11-21
CVE-2020-8164
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
- openSUSE-SU-2020:1533
- openSUSE-SU-2020:1533
- openSUSE-SU-2020:1536
- openSUSE-SU-2020:1536
- openSUSE-SU-2020:1575
- openSUSE-SU-2020:1575
- https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
- https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
- https://hackerone.com/reports/292797
- https://hackerone.com/reports/292797
- [debian-lts-announce] 20200619 [SECURITY] [DLA 2251-1] rails security update
- [debian-lts-announce] 20200619 [SECURITY] [DLA 2251-1] rails security update
- [debian-lts-announce] 20200720 [SECURITY] [DLA 2282-1] rails security update
- [debian-lts-announce] 20200720 [SECURITY] [DLA 2282-1] rails security update
- DSA-4766
- DSA-4766
Modified: 2024-11-21
CVE-2020-8165
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
- openSUSE-SU-2020:1677
- openSUSE-SU-2020:1677
- openSUSE-SU-2020:1679
- openSUSE-SU-2020:1679
- https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
- https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
- https://hackerone.com/reports/413388
- https://hackerone.com/reports/413388
- [debian-lts-announce] 20200619 [SECURITY] [DLA 2251-1] rails security update
- [debian-lts-announce] 20200619 [SECURITY] [DLA 2251-1] rails security update
- [debian-lts-announce] 20200720 [SECURITY] [DLA 2282-1] rails security update
- [debian-lts-announce] 20200720 [SECURITY] [DLA 2282-1] rails security update
- https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
- https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
- DSA-4766
- DSA-4766
Modified: 2024-11-21
CVE-2020-8166
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
Modified: 2024-11-21
CVE-2020-8167
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.