CVE-2022-21831
code injection vulnerability in activestorage (RubyGems)
What is CVE-2022-21831 About?
This vulnerability in the Active Storage module of Rails (starting from version 5.2.0) is a potential code injection flaw. It could allow untrusted input to execute arbitrary code, leading to system compromise. Exploitation is moderately complex, requiring carefully crafted input to leverage image transformation methods.
Affected Software
- activestorage
- >=6.1.0, <6.1.4.7
- >=6.0.0, <6.0.4.7
- >=7.0.0, <7.0.2.3
- >=5.2.0, <5.2.6.3
Technical Details
The code injection vulnerability in Rails' Active Storage module arises from insecure processing of image transformation methods or arguments, specifically when utilizing ImageMagick. Attackers can craft malicious input that, when passed through Active Storage's image processing functionalities (e.g., resizing, cropping), can be interpreted as commands by the underlying ImageMagick utility. This 'ImageTragick'-like flaw bypasses intended sanitization, allowing arbitrary code to be executed on the server where ImageMagick is installed and Active Storage processes user-supplied files.
What is the Impact of CVE-2022-21831?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2022-21831?
Exploitation is of moderate complexity, requiring an attacker to understand how to craft malicious input that can be interpreted as code by ImageMagick when processed through Active Storage. No explicit authentication is required to upload a malicious file if the application allows unauthenticated file uploads. Privilege requirements would be those of the web server process running the application. This is a remote exploitation scenario. Special conditions include the application using Active Storage with its default or insufficiently hardened ImageMagick policy. Risk factors include processing untrusted image files without a strict allow-list on transformation methods/arguments or a strong ImageMagick security policy.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21831?
Available Upgrade Options
- activestorage
- >=5.2.0, <5.2.6.3 → Upgrade to 5.2.6.3
- activestorage
- >=6.0.0, <6.0.4.7 → Upgrade to 6.0.4.7
- activestorage
- >=6.1.0, <6.1.4.7 → Upgrade to 6.1.4.7
- activestorage
- >=7.0.0, <7.0.2.3 → Upgrade to 7.0.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.debian.org/security/2023/dsa-5372
- https://github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e
- https://github.com/rails/rails
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://www.debian.org/security/2023/dsa-5372
- https://rubysec.com/advisories/CVE-2022-21831
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-21831
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2022-21831.yml
- https://github.com/advisories/GHSA-w749-p3v6-hccq
What are Similar Vulnerabilities to CVE-2022-21831?
Similar Vulnerabilities: CVE-2016-3714 , CVE-2016-3715 , CVE-2016-3716 , CVE-2016-3717 , CVE-2016-3718
