GMS-2022-301: Duplicate of ./gem/activestorage/CVE-2022-21831.yml

March 8, 2022

The Active Storage module of Rails starting with version 5.2.0 are possibly vulnerable to code injection. This issue was patched in versions 5.2.6.2, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.

References

github.com/advisories/GHSA-w749-p3v6-hccq
github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e
groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI
nvd.nist.gov/vuln/detail/CVE-2022-21831
rubysec.com/advisories/CVE-2022-21831/

Code Behaviors & Features

Detect and mitigate GMS-2022-301 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →