| Name | CVE-2022-32224 |
| Description | A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-4578-1 |
| Debian Bugs | 1016140 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| rails (PTS) | bullseye | 2:6.0.3.7+dfsg-2+deb11u2 | vulnerable |
| bullseye (security) | 2:6.0.3.7+dfsg-2+deb11u5 | fixed | |
| bookworm, bookworm (security) | 2:6.1.7.10+dfsg-1~deb12u2 | fixed | |
| trixie (security), trixie | 2:7.2.2.2+dfsg-2~deb13u1 | fixed | |
| forky, sid | 2:7.2.3.1+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| rails | source | bullseye | 2:6.0.3.7+dfsg-2+deb11u5 | DLA-4578-1 | ||
| rails | source | (unstable) | 2:6.1.6.1+dfsg-1 | 1016140 |
https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
Fixed by: https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a (main)
Fixed by: https://github.com/rails/rails/commit/8ce4bd1be83c08c30c34af4d0f1a726066128176 (v6.1.6.1)
Fixed by: https://github.com/rails/rails/commit/d28f278788b599c0a9f6e3ea437c6642eb56f16c (v6.0.5.1)
Fixed by: https://github.com/rails/rails/commit/6576aa7bbcf52ebd39853363e29f92b4dd53b6f1 (v5.2.8.1)
Psych 4.0 redirects 'YAML.load' from 'YAML.unsafe_load' to 'YAML.safe_load'; 'unsafe_load' introduced in 3.3.2.
"This may introduce backwards compatibility issues with existing data."
https://lists.debian.org/debian-lts/2022/09/msg00004.html
Adding 'Symbol' to 'yaml_column_permitted_classes' by default:
https://github.com/rails/rails/pull/45584
https://github.com/rails/rails/commit/fbb7f0b407c96cb38fba6b2e8cb8ce12252738da (v6.1.7)
https://github.com/rails/rails/commit/6a421e4a6a16eacfb7444108fd24c33d11cdd0a7 (v6.1.7)
https://github.com/rails/rails/commit/b521e2ecfc1f94b2d594f9ba9c5fa80b1c58566e (v6.0.6)
https://github.com/rails/rails/commit/aa5cac1c960190829be7c5e9441d9c07ac2ede69 (5-2-stable)
Performance follow-up:
https://github.com/rails/rails/commit/efc58abc8860a4901393e69361a216203cb21043 (v6.1.7)
https://github.com/rails/rails/commit/f69034d94868e58c83aeb4125dad80531b74efd4 (v6.1.7)
https://github.com/rails/rails/commit/9db14db093d2065a50ed1f14e70f78d35810e05a (v6.0.6)
https://github.com/rails/rails/commit/a5f27f6ace95e07ae30b6d92e71cb35f891d9b1a (v6.0.6)
https://github.com/rails/rails/commit/5436676014340247ee4e53ecd2c71cab34059383 (5-2-stable)
https://github.com/rails/rails/commit/21cd60ee88c413b2a58552c4b31c4d9e8c17f4eb (5-2-stable)
Further compatibility fix:
https://github.com/rails/rails/commit/e5ac49d986de0f9f1f7083422f04c08fa15e1616 (v6.1.7)
https://github.com/rails/rails/commit/e74d6ee33dcbd799c1e845f63876bd8d3fe29b05 (v6.1.7)