Skip to content

[Maintenance] Upgrade Rails to 6.0.4.7

Alexandru Emil Lupu requested to merge maintenance/upgrade-rails into qa

Maintenance

Change log

  • Added:
  • Changed:
  • Deprecated:
  • Removed:
  • Fixed:
  • Security: Upgrade Rails to 6.0.4.7

Notes

[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage

There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability has been assigned the CVE identifier CVE-2022-21831.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3

Impact

There is a possible code injection vulnerability in the Active Storage module of Rails. This vulnerability impacts applications that use Active Storage with the image_processing processing in addition to the mini_magick back end for image_processing.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Merge request reports