CVE-2022-32224
Remote Code Execution vulnerability in activerecord (RubyGems)
What is CVE-2022-32224 About?
This vulnerability allows for Remote Code Execution (RCE) in Rails applications when deserializing YAML-based serialized columns. If an attacker can manipulate database data, they can escalate privileges to achieve RCE. The exploit mechanism relies on the use of `YAML.unsafe_load` and data manipulation, making it of medium difficulty to exploit.
Affected Software
- activerecord
- >=6.1.0, <6.1.6.1
- >=7.0.0, <7.0.3.1
- <5.2.8.1
- >=6.0.0, <6.0.5.1
Technical Details
The vulnerability exists in Rails applications that use YAML (the default) for serialized columns. When data from these columns is deserialized, Rails utilizes YAML.unsafe_load to convert the YAML string into Ruby objects. If an attacker gains the ability to manipulate data stored in the database, for example, through a SQL injection vulnerability or another database compromise, they can inject malicious YAML payloads into these serialized columns. When YAML.unsafe_load processes this malicious YAML, it can instantiate arbitrary Ruby objects, including those that execute system commands or modify application behavior, leading directly to arbitrary code execution on the server.
What is the Impact of CVE-2022-32224?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data theft, and denial of service.
What is the Exploitability of CVE-2022-32224?
Exploitation involves injecting malicious YAML payloads into database columns that are subsequently deserialized by the application. This typically requires prior compromise of the database, such as through a SQL injection vulnerability, to manipulate the stored data. Therefore, the complexity is medium to high, depending on the attacker's ability to first gain database access. Authentication and privilege requirements depend on the preceding vulnerability used to manipulate the database. It is likely a remote attack if the database manipulation can be achieved remotely, otherwise it might require local access. A key constraint is the application's reliance on default YAML serialization and the use of YAML.unsafe_load. Risk is significantly higher if applications are exposed to database injection vulnerabilities.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| ooooooo-q | Link | PoC for CVE-2022-32224 |
What are the Available Fixes for CVE-2022-32224?
Available Upgrade Options
- activerecord
- <5.2.8.1 → Upgrade to 5.2.8.1
- activerecord
- >=6.0.0, <6.0.5.1 → Upgrade to 6.0.5.1
- activerecord
- >=6.1.0, <6.1.6.1 → Upgrade to 6.1.6.1
- activerecord
- >=7.0.0, <7.0.3.1 → Upgrade to 7.0.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-32224.yml
- https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
- https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
- https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a
- https://osv.dev/vulnerability/GHSA-3hhc-qp5v-9p2j
- https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
- https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
- https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
- https://nvd.nist.gov/vuln/detail/CVE-2022-32224
- https://github.com/rails/rails/commits/main/activerecord
What are Similar Vulnerabilities to CVE-2022-32224?
Similar Vulnerabilities: CVE-2020-8164 , CVE-2020-8162 , CVE-2023-26143 , CVE-2020-8160 , CVE-2020-8161
