RubygemsResearch

Sha256: 4b24a4dc381e64d15850883e90ebb68bd6f39e8cde1b9eab0900f05b15e4193f

Contents?: true

Size: 1.89 KB

Versions: 1

Compression:

Stored size: 1.89 KB

---
gem: activesupport
framework: rails
cve: 2020-8165
date: 2020-05-18
url: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
description: |
  There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
  untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result
  from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

  ```
  data = cache.fetch("demo", raw: true) { untrusted_string }
  ```

  Versions Affected:  rails < 5.2.5, rails < 6.0.4
  Not affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.
  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

  Impact
  ------

  Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
  this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

  In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
  they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both
  reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
  detect if data was serialized using the raw option upon deserialization.

  Workarounds
  -----------

  It is recommended that application developers apply the suggested patch or upgrade to the latest release as
  soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
  the `raw` argument should be double-checked to ensure that they conform to the expected format.

patched_versions:
  - "~> 5.2.4.3"
  - ">= 6.0.3.1"

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
bundler-audit-0.7.0.1	data/ruby-advisory-db/gems/activesupport/CVE-2020-8165.yml