CVE-2022-21831

Name of the Vulnerable Software and Affected Versions Ruby on Rails Active Storage versions 5.2.0 through 5.2.6.2 Ruby on Rails Active Storage versions 6.0.0 through 6.0.4.6 Ruby on Rails Active Storage versions 6.1.0 through 6.1.4.6 Ruby on Rails Active Storage versions 7.0.0 through 7.0.2.2

Description A code injection issue exists in the Active Storage module of Ruby on Rails, related to errors in code generation. This could allow a remote attacker to execute arbitrary code via image processing arguments. Implementing a strict allow-list on accepted transformation methods or arguments, as well as a strict ImageMagick security policy, can help mitigate this issue.

Recommendations For versions 5.2.0 through 5.2.6.2, update to version 5.2.6.3 or later. For versions 6.0.0 through 6.0.4.6, update to version 6.0.4.7 or later. For versions 6.1.0 through 6.1.4.6, update to version 6.1.4.7 or later. For versions 7.0.0 through 7.0.2.2, update to version 7.0.2.3 or later. As a temporary workaround, consider implementing a strict allow-list on accepted transformation methods or arguments, and enforce a strict ImageMagick security policy to minimize the risk of exploitation.