-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : rails Version : 2:4.1.8-1+deb8u7 CVE ID : CVE-2020-8164 CVE-2020-8165
Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based framework geared for web application development, which could lead to remote code execution and untrusted user input usage, depending on the application. CVE-2020-8164 Strong parameters bypass vector in ActionPack. In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. CVE-2020-8165 Potentially unintended unmarshalling of user-provided objects in MemCacheStore. There is potentially unexpected behaviour in the MemCacheStore where, when untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum, this vulnerability allows an attacker to inject untrusted Ruby objects into a web application. In addition to upgrading to the latest versions of Rails, developers should ensure that whenever they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both reading and writing. For Debian 8 "Jessie", these problems have been fixed in version 2:4.1.8-1+deb8u7. We recommend that you upgrade your rails packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl7s8VgACgkQj/HLbo2J BZ9+mwf/eTm6thb+c3shNLZxrJpoucZ9mwAeDvZ6fGpToePHb3aNlwqUI5MuUjp8 4s0FxpD1fLcDhhTGZTJkqeThQ/4qoutzvZjbsK9bGRLBo71Zkru2DolEvf71KNZC e0RDl/mfQHyhuDHePgnW8LV2MgG1/z+WKwabQ25mowV7lsoLIG8Z7F+wy7DkmeWN RybrUrCZGs+3J5KmhnAWM/U8oaQBgOQcYHdKGieCJ3KlUp7+LsDZEMEmbU4Cggog wGFovg3jsYTWDA3CNTW1ciK+Pw4x6XwWe+hyQzWZCt7j0ua1+o11GLVW1/cuHdpJ kci12HV5BINkmtAbCtHdilLjOrLT5Q== =f8HC -----END PGP SIGNATURE-----