There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability has been assigned the CVE identifier CVE-2022-21831.
Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability impacts applications that use Active Storage with the image_processing processing in addition to the mini_magick back end for image_processing.
Vulnerable code will look something similar to this:
<%= image_tag blob.variant(params[:t] => params[:v]) %>
Where the transformation method or its arguments are untrusted arbitrary input.
All users running an affected release should either upgrade or use one of the workarounds immediately.
The fixed releases are available at the normal locations.
To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict image magick security policy will help mitigate this issue.
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 5-2-active-storage-code-injection.patch - Patch for 5.2 series
- 6-0-active-storage-code-injection.patch - Patch for 6.0 series
- 6-1-active-storage-code-injection.patch - Patch for 6.1 series
- 7-0-active-storage-code-injection.patch - Patch for 7.0 series
Please note that only the 7.0.Z, 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Thanks to @gquadros_ for reporting this and Zack Deveau of Shopify for writing the patches