Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-8162: [CVE-2020-8162] Circumvention of file size limits in ActiveStorage

A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage’s S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.

CVE
#vulnerability#ruby

Circumvention of file size limits in ActiveStorage

There is a vulnerability in ActiveStorage’s S3 adapter that allows the Content-Length of a
direct file upload to be modified by an end user. This vulnerability has been assigned the CVE identifier CVE-2020-8162.

Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1
Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
new signature from the server. This could be used to bypass controls in place on the server to limit upload size.

Releases
--------

Rails 5.2.4.3 and 6.0.3.1 are available on RubyGems.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.

Patches
-------

For developers who are not able to immediately patch their applications,
we are including the following patches for Rails 6.0.3 and Rails 5.2.4.2.

* 5-2-activestorage-s3-adapter.patch
* 6-0-activestorage-s3-adapter.patch

Credits
-------

Thanks to Travis Pew (@travisp) for reporting this issue via our HackerOne bug bounty program and providing a patch.

Related news

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

CVE-2022-44030: Security Advisories - Redmine

Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Depending on the configuration, this may require login as a registered user.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907