GHSA-8727-m6gj-mc37
Possible Strong Parameters Bypass in ActionPack
Details
There is a strong parameters bypass vector in ActionPack.
Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.
Impacted code will look something like this:
``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end
def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end ```
Note the mistaken use of `each` in the `clean_up_params` method in the above example.
Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-8164 [ADVISORY]
- https://hackerone.com/reports/292797 [WEB]
- https://github.com/rails/rails [PACKAGE]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml [WEB]
- https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY [WEB]
- https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY [WEB]
- https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html [WEB]
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html [WEB]
- https://www.debian.org/security/2020/dsa-4766 [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html [WEB]