PT-2026-27263 · Rails+1 · Rails+1
Jhawthorn
·
Publicado
2026-03-23
·
Atualizado
2026-05-08
·
CVE-2026-33202
CVSS v3.1
9.1
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Rails versions prior to 8.1.2.1
Rails versions prior to 8.0.4.1
Rails versions prior to 7.2.3.1
Description
Active Storage enables users to attach cloud and local files within Rails applications. A flaw exists in the
DiskService#delete prefixed function where blob keys are passed directly to Dir.glob without proper escaping of glob metacharacters. This can lead to the deletion of unintended files from the storage directory if a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters.Recommendations
Update to Rails version 8.1.2.1 or later.
Update to Rails version 8.0.4.1 or later.
Update to Rails version 7.2.3.1 or later.
Exploit
Correção
Special Elements Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Rails
Red Os