GSD-2020-8151

Vulnerability from gsd - Updated: 2020-05-05 00:00
Details
activeresource contains a lack of encoding flaw in the element_path function of lib/active_resource/base.rb. There is an issue with the way Active Resource encodes data before querying the back end server. This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected. Impacted code will look something like this: ``` require 'activeresource' class Test < ActiveResource::Base self.site = 'http://127.0.0.1:3000' end Test.exists?(untrusted_user_input) ``` Where untrusted user input is passed to an Active Resource model. Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information. Workarounds ------------- For those that can't upgrade, the following monkey patch can be applied: ``` module ActiveResource class Base class << self def element_path(id, prefix_options = {}, query_options = nil) check_prefix_options(prefix_options) prefix_options, query_options = split_options(prefix_options) if query_options.nil? "#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}" end end end end ```
Aliases
Aliases
CVE-2020-8151
To clipboard 

{
  "GSD": {
    "alias": "CVE-2020-8151",
    "description": "There is a possible information disclosure issue in Active Resource \u003cv5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.",
    "id": "GSD-2020-8151",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-8151.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "activeresource",
            "purl": "pkg:gem/activeresource"
          }
        }
      ],
      "aliases": [
        "CVE-2020-8151",
        "GHSA-46j2-xjgp-jrfm"
      ],
      "details": "activeresource contains a lack of encoding flaw in the element_path function of\nlib/active_resource/base.rb.\n\nThere is an issue with the way Active Resource encodes data before querying the back end server.  This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected.\n\nImpacted code will look something like this:\n\n```\nrequire \u0027activeresource\u0027\n\nclass Test \u003c ActiveResource::Base\n  self.site = \u0027http://127.0.0.1:3000\u0027\nend\n\nTest.exists?(untrusted_user_input)\n```\n\nWhere untrusted user input is passed to an Active Resource model.  Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information.\n\nWorkarounds\n-------------\n\nFor those that can\u0027t upgrade, the following monkey patch can be applied:\n\n```\nmodule ActiveResource\n class Base\n   class \u003c\u003c self\n     def element_path(id, prefix_options = {}, query_options = nil)\n       check_prefix_options(prefix_options)\n\n       prefix_options, query_options = split_options(prefix_options) if query_options.nil?\n       \"#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}\"\n     end\n   end\n end\nend\n```\n",
      "id": "GSD-2020-8151",
      "modified": "2020-05-05T00:00:00.000Z",
      "published": "2020-05-05T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2020-8151",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/rails/activeresource",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "5.1.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "There is a possible information disclosure issue in Active Resource \u003cv5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information Disclosure (CWE-200)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8",
            "refsource": "MISC",
            "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8"
          },
          {
            "name": "FEDORA-2020-02646284df",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSR/"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2020-8151",
      "cvss_v3": 7.5,
      "date": "2020-05-05",
      "description": "activeresource contains a lack of encoding flaw in the element_path function of\nlib/active_resource/base.rb.\n\nThere is an issue with the way Active Resource encodes data before querying the back end server.  This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected.\n\nImpacted code will look something like this:\n\n```\nrequire \u0027activeresource\u0027\n\nclass Test \u003c ActiveResource::Base\n  self.site = \u0027http://127.0.0.1:3000\u0027\nend\n\nTest.exists?(untrusted_user_input)\n```\n\nWhere untrusted user input is passed to an Active Resource model.  Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information.\n\nWorkarounds\n-------------\n\nFor those that can\u0027t upgrade, the following monkey patch can be applied:\n\n```\nmodule ActiveResource\n class Base\n   class \u003c\u003c self\n     def element_path(id, prefix_options = {}, query_options = nil)\n       check_prefix_options(prefix_options)\n\n       prefix_options, query_options = split_options(prefix_options) if query_options.nil?\n       \"#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}\"\n     end\n   end\n end\nend\n```\n",
      "gem": "activeresource",
      "ghsa": "46j2-xjgp-jrfm",
      "patched_versions": [
        "\u003e= 5.1.1"
      ],
      "title": "activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding",
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c5.1.1",
          "affected_versions": "All versions before 5.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-863",
            "CWE-937"
          ],
          "date": "2021-10-07",
          "description": "There is a possible information disclosure issue in Active Resource that could allow an attacker to create specially crafted requests to access data and possibly leak information.",
          "fixed_versions": [
            "5.1.1"
          ],
          "identifier": "CVE-2020-8151",
          "identifiers": [
            "CVE-2020-8151"
          ],
          "not_impacted": "All versions starting from 5.1.1",
          "package_slug": "gem/activeresource",
          "pubdate": "2020-05-12",
          "solution": "Upgrade to version 5.1.1 or above.",
          "title": "Information Exposure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-8151"
          ],
          "uuid": "b28977be-1e0a-472f-ae63-d7f320efc6da"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:active_resource:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.1.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2020-8151"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "There is a possible information disclosure issue in Active Resource \u003cv5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-863"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8"
            },
            {
              "name": "FEDORA-2020-02646284df",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSR/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-10-07T17:19Z",
      "publishedDate": "2020-05-12T13:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.