1185715 – (CVE-2021-22885) VUL-0: CVE-2021-22885: rubygem-actionpack-3_2,rubygem-actionpack-4_2,rubygem-actionpack-5_1: rubygem-actionpack: Possible Information Disclosure / Unintended Method Execution in Action Pack

Bug 1185715 (CVE-2021-22885) - VUL-0: CVE-2021-22885: rubygem-actionpack-3_2,rubygem-actionpack-4_2,rubygem-actionpack-5_1: rubygem-actionpack: Possible Information Disclosure / Unintended Method Execution in Action Pack

Summary: VUL-0: CVE-2021-22885: rubygem-actionpack-3_2,rubygem-actionpack-4_2,rubygem-...

Status:	RESOLVED FIXED

Alias:	CVE-2021-22885

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/283516/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-22885:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-05-06 11:48 UTC by Gianluca Gabrielli
Modified:	2024-05-23 15:34 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-05-06 11:48:15 UTC

CVE-2021-22885

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack which has been assigned the CVE identifier
CVE-2021-22885.

Versions Affected:  >= 2.0.0.
Not affected:       < 2.0.0.
Fixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact
------
There is a possible information disclosure / unintended method execution
vulnerability in Action Pack when using the `redirect_to` or
`polymorphic_url`
helper with untrusted user input.

Vulnerable code will look like this:

```
redirect_to(params[:some_param])
```

All users running an affected release should either upgrade or use one of
the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
To work around this problem, it is recommended to use an allow list for
valid
parameters passed from the user.  For example:

```
private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end

def index
  redirect_to(check(params[:some_param]))
end
```

Or force the user input to be cast to a string like this:

```
def index
  redirect_to(params[:some_param].to_s)
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided
patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 5-2-information-disclosure.patch - Patch for 5.2 series
* 6-0-information-disclosure.patch - Patch for 6.0 series
* 6-1-information-disclosure.patch - Patch for 6.1 series

Please note that only the 5.2, 6.0, and 6.1 series are supported at
present. Users
of earlier unsupported releases are advised to upgrade as soon as possible
as we
cannot guarantee the continued availability of security fixes for
unsupported
releases.

References:

https://www.openwall.com/lists/oss-security/2021/05/05/3

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1957441
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22885
http://seclists.org/oss-sec/2021/q2/101

Comment 1 Gianluca Gabrielli 2021-05-06 11:49:47 UTC

Affected packages:

 - SUSE:SLE-11-SP2:Update/rubygem-actionpack-3_2  3.2.12
 - SUSE:SLE-12:Update/rubygem-actionpack-4_2      4.2.9
 - SUSE:SLE-15:Update/rubygem-actionpack-5_1      5.1.4

Upstream patch [0].

[0] https://github.com/rails/rails/commit/c4c21a9f8d7c9c8ca6570bdb82d64e2dc860e62c

Comment 3 Swamp Workflow Management 2021-05-19 16:34:09 UTC

SUSE-SU-2021:1650-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1185715
CVE References: CVE-2021-22885
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    rubygem-actionpack-4_2-4.2.9-7.12.1
SUSE OpenStack Cloud Crowbar 8 (src):    rubygem-actionpack-4_2-4.2.9-7.12.1
SUSE OpenStack Cloud 7 (src):    rubygem-actionpack-4_2-4.2.9-7.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 Christian Almeida de Oliveira 2021-05-20 09:23:31 UTC

see comment #2

Comment 5 Swamp Workflow Management 2021-05-26 13:16:16 UTC

SUSE-SU-2021:1759-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1185715
CVE References: CVE-2021-22885
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP3 (src):    rubygem-actionpack-5_1-5.1.4-3.9.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    rubygem-actionpack-5_1-5.1.4-3.9.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    rubygem-actionpack-5_1-5.1.4-3.9.1
SUSE Linux Enterprise High Availability 15 (src):    rubygem-actionpack-5_1-5.1.4-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2021-05-26 22:15:43 UTC

openSUSE-SU-2021:0797-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1185715
CVE References: CVE-2021-22885
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    rubygem-actionpack-5_1-5.1.4-lp152.5.6.1

Comment 7 Christian Almeida de Oliveira 2021-06-22 13:28:21 UTC

fixes for affected SOC versions released, back to security team.

Comment 8 Swamp Workflow Management 2021-07-11 13:35:53 UTC

openSUSE-SU-2021:1759-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1185715
CVE References: CVE-2021-22885
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    rubygem-actionpack-5_1-5.1.4-3.9.1

Comment 9 Gianluca Gabrielli 2022-08-02 11:53:50 UTC

Hi Jacek,

submission for SUSE:SLE-11-SP2:Update/rubygem-actionpack-3_2 is still missing. Could you provide it?

Comment 10 Christian Almeida de Oliveira 2022-08-02 14:11:40 UTC

Hi @Gianluca

Due to the very reduced SOC team, we have no capacity to solve for other product versions. Could you please check in the maintainers pool?

Cheers,
Christian

Comment 11 Gianluca Gabrielli 2022-08-02 14:35:11 UTC

Hi coldpool,

as you are the package bugowner, can you please take care of the missing submission?

Comment 13 Petr Gajdos 2022-09-30 07:35:49 UTC

(In reply to Carlos López from comment #12)
> SUSE:SLE-11-SP2:Update/rubygem-actionpack-3_2.

No handle_list() or similar code found. Considering not affected.

Comment 16 Petr Gajdos 2022-09-30 11:47:41 UTC

(In reply to Petr Gajdos from comment #13)
> (In reply to Carlos López from comment #12)
> > SUSE:SLE-11-SP2:Update/rubygem-actionpack-3_2.
> 
> No handle_list() or similar code found. Considering not affected.

At the end, Carlos found similar code in polymorphic_routes.rb and proposed a patch.

Submitted into 11sp2/rubygem-actionpack-3_2

Comment 18 Swamp Workflow Management 2022-12-08 17:27:02 UTC

SUSE-SU-2022:15116-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1185715,968850
CVE References: CVE-2016-2097,CVE-2021-22885
JIRA References: 
Sources used:
SUSE Webyast 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.27.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Andrea Mattiazzo 2024-05-23 15:34:14 UTC

All done, closing.