Possible code injection vulnerability in Rails / Active Storage

GHSA-w749-p3v6-hccq · CVE-2022-21831

Published Mar 8, 2022 · Modified Mar 13, 2026

Description

The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-21831
WEB https://github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e
ADVISORY https://github.com/advisories/GHSA-w749-p3v6-hccq
PACKAGE https://github.com/rails/rails
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2022-21831.yml
WEB https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI
WEB https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
WEB https://rubysec.com/advisories/CVE-2022-21831
WEB https://security.netapp.com/advisory/ntap-20221118-0001
WEB https://www.debian.org/security/2023/dsa-5372

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes