PT-2019-1632 · Ruby+2 · Ruby On Rails+2

Ooooooo_Q

Publicado

2019-03-13

Atualizado

2025-09-29

CVE-2019-5420

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 5.2.2.1 Ruby on Rails versions prior to 6.0.0.beta3

Description A remote code execution issue exists in development mode Rails, allowing an attacker to guess the automatically generated development mode secret token. This token can be used in combination with other Rails internals to escalate to a remote code execution exploit. The vulnerability is related to errors in the pseudorandom number generator code.

Recommendations For versions prior to 5.2.2.1, upgrade to version 5.2.2.1 or later. For versions prior to 6.0.0.beta3, upgrade to version 6.0.0.beta3 or later. As a temporary workaround, specify a secret key in development mode by adding config.secret key base = SecureRandom.hex(64) to "config/environments/development.rb".

Exploit

Correção

RCE

Use of Insufficiently Random Values

Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-330CWE-77CWE-338

Identificadores relacionados

ALSA-2025_16880

ALT-PU-2019-1438

BDU:2019-01180

CVE-2019-5420

GHSA-M42H-MH85-4QGC

OPENSUSE-SU-2020:1993-1

OPENSUSE-SU-2020:2000-1

OPENSUSE-SU-2020_1993-1

OPENSUSE-SU-2020_2000-1

OPENSUSE-SU-2024:10589-1

SUSE-SU-2020:3036-1

SUSE-SU-2020:3147-1

SUSE-SU-2020:3160-1

Produtos afetados

Alt Linux

Ruby On Rails

Suse

PT-2019-1632 · Ruby+2 · Ruby On Rails+2

CVE-2019-5420

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 59