Debian 10 Buster: DLA-3093-1 Moderate Rails Code Injection and XSS
debian lts
September 3, 2022
The following vulnerabilities have been discovered in rails, a ruby based MVC frame work for web development
Topics Covered
Summary
CVE-2022-21831
A code injection vulnerability exists in the Active Storage that
could allow an attacker to execute code via image_processing
arguments.
CVE-2022-22577
An XSS Vulnerability in Action Pack that could allow an attacker
to bypass CSP for non HTML like responses.
CVE-2022-23633
Action Pack is a framework for handling and responding to web
requests. Under certain circumstances response bodies will not be
closed. In the event a response is *not* notified of a `close`,
`ActionDispatch::Executor` will not know to reset thread local
state for the next request. This can lead to data being leaked to
subsequent requests.
CVE-2022-27777
A XSS Vulnerability in Action View tag helpers which would allow
an attacker to inject content if able to control input into
specific attributes.
CVE-2022-32224
When serialized columns that use YAML (the default) are
deserialized, Rails uses YAML.unsafe_load to convert the YAML data
PREVIOUS 
NEXT Package: rails
Version: 2:5.2.2.1+dfsg-1+deb10u4
CVE ID: CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-27777
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!