[Maintenance] Upgrade Rails to 6.0.4.7 (!1494) · Merge requests · CoFE / comm-cofe-reference

Alexandru Lupu - Tremend requested to merge maintenance/upgrade-rails into qa Mar 09, 2022

Maintenance

Change log

Added:
Changed:
Deprecated:
Removed:
Fixed:
Security: Upgrade Rails to 6.0.4.7

Notes

[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage

There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability has been assigned the CVE identifier CVE-2022-21831.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3

Impact

There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability impacts applications that use Active Storage with the image_processing processing in addition to the mini_magick back end for image_processing.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

[Maintenance] Upgrade Rails to 6.0.4.7

Maintenance

Change log

Notes

[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage

Impact

Merge request reports