Sha256: 97f0a42bfd9bc041aac702042d06b5f8041308503b5c0af7141998335aa28296
Contents?: true
Size: 1.46 KB
Versions: 1
Compression:
Stored size: 1.46 KB
Contents
---
gem: actionpack-page_caching
cve: 2020-8159
url: https://groups.google.com/forum/#!topic/rubyonrails-security/CFRVkEytdP8
date: 2020-05-06
title: Arbitrary file write/potential remote code execution in actionpack-page_caching
description: |
There is a vulnerability in the actionpack-page_caching gem that allows an attacker
to write arbitrary files to a web server, potentially resulting in remote code execution
if the attacker can write unescaped ERB to a view.
Versions Affected: All versions of actionpack-page_caching (part of Rails prior to Rails 4.0)
Not affected: Applications not using actionpack-page_caching
Fixed Versions: actionpack-page_caching >= 1.2.1
Impact
------
The Action Pack Page Caching gem writes cache files to the file system in
order for the front end webserver (nginx, Apache, etc) to serve the cached
file without making a request to the application server. Paths contain what
is effectively user input can be used to manipulate the location of the cache
file.
For example "/users/123" could be changed to "/users/../../../foo" and this
will escape the cache directory. Attackers can use this technique to
springboard to an RCE if they can write arbitrary ERb to a view folder.
Impacted code looks like this:
```
class BooksController < ApplicationController
caches_page :show
end
```
Where the `show` action of the `BooksController` may be vulnerable.
patched_versions:
- ">= 1.2.1"
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| bundler-audit-0.7.0.1 | data/ruby-advisory-db/gems/actionpack-page_caching/CVE-2020-8159.yml |