PT-2019-1632 · Ruby+2 · Ruby On Rails+2

Ooooooo_Q

Published

2019-03-13

Updated

2025-09-29

CVE-2019-5420

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 5.2.2.1 Ruby on Rails versions prior to 6.0.0.beta3

Description A remote code execution issue exists in development mode Rails, allowing an attacker to guess the automatically generated development mode secret token. This token can be used in combination with other Rails internals to escalate to a remote code execution exploit. The vulnerability is related to errors in the pseudorandom number generator code.

Recommendations For versions prior to 5.2.2.1, upgrade to version 5.2.2.1 or later. For versions prior to 6.0.0.beta3, upgrade to version 6.0.0.beta3 or later. As a temporary workaround, specify a secret key in development mode by adding config.secret key base = SecureRandom.hex(64) to "config/environments/development.rb".

Exploit

Fix

RCE

Use of Insufficiently Random Values

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330CWE-77CWE-338

Related Identifiers

ALSA-2025_16880

ALT-PU-2019-1438

BDU:2019-01180

CVE-2019-5420

GHSA-M42H-MH85-4QGC

OPENSUSE-SU-2020:1993-1

OPENSUSE-SU-2020:2000-1

OPENSUSE-SU-2020_1993-1

OPENSUSE-SU-2020_2000-1

OPENSUSE-SU-2024:10589-1

SUSE-SU-2020:3036-1

SUSE-SU-2020:3147-1

SUSE-SU-2020:3160-1

Affected Products

Alt Linux

Ruby On Rails

Suse

PT-2019-1632 · Ruby+2 · Ruby On Rails+2

CVE-2019-5420

Weakness Enumeration

Related Identifiers

Affected Products

References · 59