gsd-2020-8151
Vulnerability from gsd
Modified
2020-05-05 00:00
Details
activeresource contains a lack of encoding flaw in the element_path function of
lib/active_resource/base.rb.
There is an issue with the way Active Resource encodes data before querying the back end server. This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected.
Impacted code will look something like this:
```
require 'activeresource'
class Test < ActiveResource::Base
self.site = 'http://127.0.0.1:3000'
end
Test.exists?(untrusted_user_input)
```
Where untrusted user input is passed to an Active Resource model. Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information.
Workarounds
-------------
For those that can't upgrade, the following monkey patch can be applied:
```
module ActiveResource
class Base
class << self
def element_path(id, prefix_options = {}, query_options = nil)
check_prefix_options(prefix_options)
prefix_options, query_options = split_options(prefix_options) if query_options.nil?
"#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}"
end
end
end
end
```
Aliases
Aliases
{ GSD: { alias: "CVE-2020-8151", description: "There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.", id: "GSD-2020-8151", references: [ "https://www.suse.com/security/cve/CVE-2020-8151.html", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { affected: [ { package: { ecosystem: "RubyGems", name: "activeresource", purl: "pkg:gem/activeresource", }, }, ], aliases: [ "CVE-2020-8151", "GHSA-46j2-xjgp-jrfm", ], details: "activeresource contains a lack of encoding flaw in the element_path function of\nlib/active_resource/base.rb.\n\nThere is an issue with the way Active Resource encodes data before querying the back end server. This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected.\n\nImpacted code will look something like this:\n\n```\nrequire 'activeresource'\n\nclass Test < ActiveResource::Base\n self.site = 'http://127.0.0.1:3000'\nend\n\nTest.exists?(untrusted_user_input)\n```\n\nWhere untrusted user input is passed to an Active Resource model. Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information.\n\nWorkarounds\n-------------\n\nFor those that can't upgrade, the following monkey patch can be applied:\n\n```\nmodule ActiveResource\n class Base\n class << self\n def element_path(id, prefix_options = {}, query_options = nil)\n check_prefix_options(prefix_options)\n\n prefix_options, query_options = split_options(prefix_options) if query_options.nil?\n \"#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}\"\n end\n end\n end\nend\n```\n", id: "GSD-2020-8151", modified: "2020-05-05T00:00:00.000Z", published: "2020-05-05T00:00:00.000Z", references: [ { type: "WEB", url: "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8", }, ], schema_version: "1.4.0", severity: [ { score: 7.5, type: "CVSS_V3", }, ], summary: "activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "support@hackerone.com", ID: "CVE-2020-8151", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "https://github.com/rails/activeresource", version: { version_data: [ { version_value: "5.1.1", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure (CWE-200)", }, ], }, ], }, references: { reference_data: [ { name: "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8", refsource: "MISC", url: "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8", }, { name: "FEDORA-2020-02646284df", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSR/", }, ], }, }, "github.com/rubysec/ruby-advisory-db": { cve: "2020-8151", cvss_v3: 7.5, date: "2020-05-05", description: "activeresource contains a lack of encoding flaw in the element_path function of\nlib/active_resource/base.rb.\n\nThere is an issue with the way Active Resource encodes data before querying the back end server. This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected.\n\nImpacted code will look something like this:\n\n```\nrequire 'activeresource'\n\nclass Test < ActiveResource::Base\n self.site = 'http://127.0.0.1:3000'\nend\n\nTest.exists?(untrusted_user_input)\n```\n\nWhere untrusted user input is passed to an Active Resource model. Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information.\n\nWorkarounds\n-------------\n\nFor those that can't upgrade, the following monkey patch can be applied:\n\n```\nmodule ActiveResource\n class Base\n class << self\n def element_path(id, prefix_options = {}, query_options = nil)\n check_prefix_options(prefix_options)\n\n prefix_options, query_options = split_options(prefix_options) if query_options.nil?\n \"#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}\"\n end\n end\n end\nend\n```\n", gem: "activeresource", ghsa: "46j2-xjgp-jrfm", patched_versions: [ ">= 5.1.1", ], title: "activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding", url: "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8", }, "gitlab.com": { advisories: [ { affected_range: "<5.1.1", affected_versions: "All versions before 5.1.1", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:N/A:N", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", cwe_ids: [ "CWE-1035", "CWE-863", "CWE-937", ], date: "2021-10-07", description: "There is a possible information disclosure issue in Active Resource that could allow an attacker to create specially crafted requests to access data and possibly leak information.", fixed_versions: [ "5.1.1", ], identifier: "CVE-2020-8151", identifiers: [ "CVE-2020-8151", ], not_impacted: "All versions starting from 5.1.1", package_slug: "gem/activeresource", pubdate: "2020-05-12", solution: "Upgrade to version 5.1.1 or above.", title: "Information Exposure", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2020-8151", ], uuid: "b28977be-1e0a-472f-ae63-d7f320efc6da", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:rubyonrails:active_resource:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "5.1.1", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve-assignments@hackerone.com", ID: "CVE-2020-8151", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-863", }, ], }, ], }, references: { reference_data: [ { name: "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8", refsource: "MISC", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8", }, { name: "FEDORA-2020-02646284df", refsource: "FEDORA", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSR/", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, }, }, lastModifiedDate: "2021-10-07T17:19Z", publishedDate: "2020-05-12T13:15Z", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.