Ruby/railties/6.0.0.beta1
Rails internals: application bootup, plugins, generators, and rake tasks.
https://rubygems.org/gems/railties
MIT
1 Security Vulnerabilities
Possible Remote Code Execution Exploit in Rails Development Mode
Published date: 2019-03-13
Framework: rails
CVE: 2019-5420
CVSS V3: 9.8
There is a possible a possible remote code executing exploit in Rails when in development mode. This vulnerability has been assigned the CVE identifier CVE-2019-5420.
Versions Affected: 6.0.0.X, 5.2.X. Not affected: < 5.2.0 Fixed Versions: 6.0.0.beta3, 5.2.2.1
Impact
With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations.
Workarounds
This issue can be mitigated by specifying a secret key in development mode.
In config/environments/development.rb
add this:
config.secretkeybase = SecureRandom.hex(64)
Credits
Thanks to ooooooo_q
Affected versions:
["6.0.0.beta2", "6.0.0.beta1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0"]
Secure versions:
[6.1.0.rc1, 6.0.3.4, 6.0.3.3, 6.0.3.2, 6.0.3.1, 6.0.3, 6.0.3.rc1, 6.0.2.2, 6.0.2.1, 6.0.2, 6.0.2.rc2, 6.0.2.rc1, 6.0.1, 6.0.1.rc1, 6.0.0, 6.0.0.rc2, 6.0.0.rc1, 6.0.0.beta3, 5.2.4.4, 5.2.4.3, 5.2.4.2, 5.2.4.1, 5.2.4, 5.2.4.rc1, 5.2.3, 5.2.3.rc1, 5.2.2.1, 5.2.0.rc2, 5.2.0.rc1, 5.2.0.beta2, 5.2.0.beta1, 5.1.7, 5.1.7.rc1, 5.1.6.2, 5.1.6.1, 5.1.6, 5.1.5, 5.1.5.rc1, 5.1.4, 5.1.4.rc1, 5.1.3, 5.1.3.rc3, 5.1.3.rc2, 5.1.3.rc1, 5.1.2, 5.1.2.rc1, 5.1.1, 5.1.0, 5.1.0.rc2, 5.1.0.rc1, 5.1.0.beta1, 5.0.7.2, 5.0.7.1, 5.0.7, 5.0.6, 5.0.6.rc1, 5.0.5, 5.0.5.rc2, 5.0.5.rc1, 5.0.4, 5.0.4.rc1, 5.0.3, 5.0.2, 5.0.2.rc1, 5.0.1, 5.0.1.rc2, 5.0.1.rc1, 5.0.0.1, 5.0.0, 5.0.0.rc2, 5.0.0.rc1, 5.0.0.racecar1, 5.0.0.beta4, 5.0.0.beta3, 5.0.0.beta2, 5.0.0.beta1.1, 5.0.0.beta1, 4.2.11.3, 4.2.11.2, 4.2.11.1, 4.2.11, 4.2.10, 4.2.10.rc1, 4.2.9, 4.2.9.rc2, 4.2.9.rc1, 4.2.8, 4.2.8.rc1, 4.2.7.1, 4.2.7, 4.2.7.rc1, 4.2.6, 4.2.6.rc1, 4.2.5.2, 4.2.5.1, 4.2.5, 4.2.5.rc2, 4.2.5.rc1, 4.2.4, 4.2.4.rc1, 4.2.3, 4.2.3.rc1, 4.2.2, 4.2.1, 4.2.1.rc4, 4.2.1.rc3, 4.2.1.rc2, 4.2.1.rc1, 4.2.0, 4.2.0.rc3, 4.2.0.rc2, 4.2.0.rc1, 4.2.0.beta4, 4.2.0.beta3, 4.2.0.beta2, 4.2.0.beta1, 4.1.16, 4.1.16.rc1, 4.1.15, 4.1.15.rc1, 4.1.14.2, 4.1.14.1, 4.1.14, 4.1.14.rc2, 4.1.14.rc1, 4.1.13, 4.1.13.rc1, 4.1.12, 4.1.12.rc1, 4.1.11, 4.1.10, 4.1.10.rc4, 4.1.10.rc3, 4.1.10.rc2, 4.1.10.rc1, 4.1.9, 4.1.9.rc1, 4.1.8, 4.1.7.1, 4.1.7, 4.1.6, 4.1.6.rc2, 4.1.6.rc1, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.2.rc3, 4.1.2.rc2, 4.1.2.rc1, 4.1.1, 4.1.0, 4.1.0.rc2, 4.1.0.rc1, 4.1.0.beta2, 4.1.0.beta1, 4.0.13, 4.0.13.rc1, 4.0.12, 4.0.11.1, 4.0.11, 4.0.10, 4.0.10.rc2, 4.0.10.rc1, 4.0.9, 4.0.8, 4.0.7, 4.0.6, 4.0.6.rc3, 4.0.6.rc2, 4.0.6.rc1, 4.0.5, 4.0.4, 4.0.4.rc1, 4.0.3, 4.0.2, 4.0.1, 4.0.1.rc4, 4.0.1.rc3, 4.0.1.rc2, 4.0.1.rc1, 4.0.0, 4.0.0.rc2, 4.0.0.rc1, 4.0.0.beta1, 3.2.22.5, 3.2.22.4, 3.2.22.3, 3.2.22.2, 3.2.22.1, 3.2.22, 3.2.21, 3.2.20, 3.2.19, 3.2.18, 3.2.17, 3.2.16, 3.2.15, 3.2.15.rc3, 3.2.15.rc2, 3.2.15.rc1, 3.2.14, 3.2.14.rc2, 3.2.14.rc1, 3.2.13, 3.2.13.rc2, 3.2.13.rc1, 3.2.12, 3.2.11, 3.2.10, 3.2.9, 3.2.9.rc3, 3.2.9.rc2, 3.2.9.rc1, 3.2.8, 3.2.8.rc2, 3.2.8.rc1, 3.2.7, 3.2.7.rc1, 3.2.6, 3.2.5, 3.2.4, 3.2.4.rc1, 3.2.3, 3.2.3.rc2, 3.2.3.rc1, 3.2.2, 3.2.2.rc1, 3.2.1, 3.2.0, 3.2.0.rc2, 3.2.0.rc1, 3.1.12, 3.1.11, 3.1.10, 3.1.9, 3.1.8, 3.1.7, 3.1.6, 3.1.5, 3.1.5.rc1, 3.1.4, 3.1.4.rc1, 3.1.3, 3.1.2, 3.1.2.rc2, 3.1.2.rc1, 3.1.1, 3.1.1.rc3, 3.1.1.rc2, 3.1.1.rc1, 3.1.0, 3.1.0.rc8, 3.1.0.rc6, 3.1.0.rc5, 3.1.0.rc4, 3.1.0.rc3, 3.1.0.rc2, 3.1.0.rc1, 3.1.0.beta1, 3.0.20, 3.0.19, 3.0.18, 3.0.17, 3.0.16, 3.0.15, 3.0.14, 3.0.13, 3.0.13.rc1, 3.0.12, 3.0.12.rc1, 3.0.11, 3.0.10, 3.0.10.rc1, 3.0.9, 3.0.9.rc5, 3.0.9.rc4, 3.0.9.rc3, 3.0.9.rc1, 3.0.8, 3.0.8.rc4, 3.0.8.rc2, 3.0.8.rc1, 3.0.7, 3.0.7.rc2, 3.0.7.rc1, 3.0.6, 3.0.6.rc2, 3.0.6.rc1, 3.0.5, 3.0.5.rc1, 3.0.4, 3.0.4.rc1, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 3.0.0.rc2, 3.0.0.rc, 3.0.0.beta4, 3.0.0.beta3, 3.0.0.beta2, 3.0.0.beta, 6.1.0.rc2, 6.1.0, 6.1.1, 6.1.2, 6.1.2.1, 6.0.3.5, 5.2.4.5, 6.1.3, 6.1.3.1, 6.0.3.6, 5.2.5, 6.1.3.2, 6.0.3.7, 5.2.6, 5.2.4.6, 6.0.4, 6.1.4, 6.1.4.1, 6.0.4.1, 7.0.0.alpha2, 7.0.0.alpha1, 7.0.0.rc1, 7.0.0.rc3, 7.0.0.rc2, 6.1.4.3, 6.1.4.2, 6.0.4.3, 6.0.4.2, 7.0.0, 6.1.4.4, 6.0.4.4, 7.0.1, 7.0.2, 7.0.2.2, 7.0.2.1, 6.1.4.6, 6.1.4.5, 6.0.4.6, 6.0.4.5, 5.2.6.2, 5.2.6.1, 6.0.4.7, 5.2.6.3, 7.0.2.3, 6.1.4.7, 6.1.5, 5.2.7, 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1, 7.0.3, 6.1.6, 6.0.5, 5.2.8, 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1, 7.0.4, 6.1.7, 6.0.6, 7.0.4.1, 6.1.7.1, 6.0.6.1, 7.0.4.2, 6.1.7.2, 7.0.4.3, 6.1.7.3, 7.0.5, 7.0.5.1, 6.1.7.4, 7.0.6, 7.0.7, 7.0.7.2, 7.0.7.1, 6.1.7.6, 6.1.7.5, 7.0.8, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.3.2, 7.1.3.1, 7.0.8.1, 6.1.7.7]
Recommendation:
Update to version 7.1.3.2.
401 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 3.2.14.rc2 | MIT | 2013-07-16 - 16:13 | almost 11 years | |
| 3.2.14.rc1 | MIT | 2013-07-13 - 00:25 | almost 11 years | |
| 3.2.13 | UNKNOWN | 2013-03-18 - 17:13 | about 11 years | |
| 3.2.13.rc2 | UNKNOWN | 2013-03-06 - 23:06 | about 11 years | |
| 3.2.13.rc1 | UNKNOWN | 2013-02-27 - 20:25 | about 11 years | |
| 3.2.12 | UNKNOWN | 2013-02-11 - 18:18 | over 11 years | |
| 3.2.11 | UNKNOWN | 2013-01-08 - 20:09 | over 11 years | |
| 3.2.10 | UNKNOWN | 2013-01-02 - 21:20 | over 11 years | |
| 3.2.9 | UNKNOWN | 2012-11-12 - 15:22 | over 11 years | |
| 3.2.9.rc3 | UNKNOWN | 2012-11-09 - 18:02 | over 11 years | |
| 3.2.9.rc2 | UNKNOWN | 2012-11-01 - 17:39 | over 11 years | |
| 3.2.9.rc1 | UNKNOWN | 2012-10-29 - 17:07 | over 11 years | |
| 3.2.8 | UNKNOWN | 2012-08-09 - 21:24 | almost 12 years | |
| 3.2.8.rc2 | UNKNOWN | 2012-08-03 - 14:29 | almost 12 years | |
| 3.2.8.rc1 | UNKNOWN | 2012-08-01 - 21:00 | almost 12 years | |
| 3.2.7 | UNKNOWN | 2012-07-26 - 22:09 | almost 12 years | |
| 3.2.7.rc1 | UNKNOWN | 2012-07-23 - 21:46 | almost 12 years | |
| 3.2.6 | UNKNOWN | 2012-06-12 - 21:27 | almost 12 years | |
| 3.2.5 | UNKNOWN | 2012-06-01 - 03:39 | almost 12 years | |
| 3.2.4 | UNKNOWN | 2012-05-31 - 18:25 | almost 12 years | |
| 3.2.4.rc1 | UNKNOWN | 2012-05-28 - 19:02 | almost 12 years | |
| 3.2.3 | UNKNOWN | 2012-03-30 - 22:26 | about 12 years | |
| 3.2.3.rc2 | UNKNOWN | 2012-03-29 - 16:15 | about 12 years | |
| 3.2.3.rc1 | UNKNOWN | 2012-03-27 - 17:12 | about 12 years | |
| 3.2.2 | UNKNOWN | 2012-03-01 - 17:53 | about 12 years | |
| 3.2.2.rc1 | UNKNOWN | 2012-02-22 - 21:40 | about 12 years | |
| 3.2.1 | UNKNOWN | 2012-01-26 - 23:09 | over 12 years | |
| 3.2.0 | UNKNOWN | 2012-01-20 - 16:47 | over 12 years | |
| 3.2.0.rc2 | UNKNOWN | 2012-01-04 - 21:06 | over 12 years | |
| 3.2.0.rc1 | UNKNOWN | 2011-12-20 - 00:41 | over 12 years | |
| 3.1.12 | UNKNOWN | 2013-03-18 - 17:13 | about 11 years | |
| 3.1.11 | UNKNOWN | 2013-02-11 - 18:17 | over 11 years | |
| 3.1.10 | UNKNOWN | 2013-01-08 - 20:09 | over 11 years | |
| 3.1.9 | UNKNOWN | 2013-01-02 - 21:20 | over 11 years | |
| 3.1.8 | UNKNOWN | 2012-08-09 - 21:21 | almost 12 years | |
| 3.1.7 | UNKNOWN | 2012-07-26 - 22:09 | almost 12 years | |
| 3.1.6 | UNKNOWN | 2012-06-12 - 21:26 | almost 12 years | |
| 3.1.5 | UNKNOWN | 2012-05-31 - 18:25 | almost 12 years | |
| 3.1.5.rc1 | UNKNOWN | 2012-05-28 - 19:02 | almost 12 years | |
| 3.1.4 | UNKNOWN | 2012-03-01 - 17:53 | about 12 years | |
| 3.1.4.rc1 | UNKNOWN | 2012-02-22 - 21:40 | about 12 years | |
| 3.1.3 | UNKNOWN | 2011-11-20 - 22:52 | over 12 years | |
| 3.1.2 | UNKNOWN | 2011-11-18 - 01:33 | over 12 years | |
| 3.1.2.rc2 | UNKNOWN | 2011-11-14 - 15:49 | over 12 years | |
| 3.1.2.rc1 | UNKNOWN | 2011-11-14 - 14:17 | over 12 years | |
| 3.1.1 | UNKNOWN | 2011-10-07 - 15:31 | over 12 years | |
| 3.1.1.rc3 | UNKNOWN | 2011-10-06 - 02:32 | over 12 years | |
| 3.1.1.rc2 | UNKNOWN | 2011-09-29 - 22:17 | over 12 years | |
| 3.1.1.rc1 | UNKNOWN | 2011-09-15 - 00:31 | over 12 years | |
| 3.1.0 | UNKNOWN | 2011-08-31 - 02:19 | over 12 years | |
| 3.1.0.rc8 | UNKNOWN | 2011-08-29 - 03:28 | over 12 years | |
| 3.1.0.rc6 | UNKNOWN | 2011-08-16 - 22:33 | over 12 years | |
| 3.1.0.rc5 | UNKNOWN | 2011-07-25 - 23:05 | almost 13 years | |
| 3.1.0.rc4 | UNKNOWN | 2011-06-09 - 22:56 | almost 13 years | |
| 3.1.0.rc3 | UNKNOWN | 2011-06-08 - 21:27 | almost 13 years | |
| 3.1.0.rc2 | UNKNOWN | 2011-06-08 - 00:17 | almost 13 years | |
| 3.1.0.rc1 | UNKNOWN | 2011-05-22 - 02:26 | almost 13 years | |
| 3.1.0.beta1 | UNKNOWN | 2011-05-05 - 01:23 | about 13 years | |
| 3.0.20 | UNKNOWN | 2013-01-28 - 21:01 | over 11 years | |
| 3.0.19 | UNKNOWN | 2013-01-08 - 20:08 | over 11 years | |
| 3.0.18 | UNKNOWN | 2013-01-02 - 21:20 | over 11 years | |
| 3.0.17 | UNKNOWN | 2012-08-09 - 21:17 | almost 12 years | |
| 3.0.16 | UNKNOWN | 2012-07-26 - 22:09 | almost 12 years | |
| 3.0.15 | UNKNOWN | 2012-06-13 - 03:07 | almost 12 years | |
| 3.0.14 | UNKNOWN | 2012-06-12 - 21:26 | almost 12 years | |
| 3.0.13 | UNKNOWN | 2012-05-31 - 18:25 | almost 12 years | |
| 3.0.13.rc1 | UNKNOWN | 2012-05-28 - 19:02 | almost 12 years | |
| 3.0.12 | UNKNOWN | 2012-03-01 - 17:52 | about 12 years | |
| 3.0.12.rc1 | UNKNOWN | 2012-02-22 - 21:39 | about 12 years | |
| 3.0.11 | UNKNOWN | 2011-11-18 - 01:23 | over 12 years | |
| 3.0.10 | UNKNOWN | 2011-08-16 - 22:14 | over 12 years | |
| 3.0.10.rc1 | UNKNOWN | 2011-08-05 - 00:12 | almost 13 years | |
| 3.0.9 | UNKNOWN | 2011-06-16 - 10:04 | almost 13 years | |
| 3.0.9.rc5 | UNKNOWN | 2011-06-12 - 21:29 | almost 13 years | |
| 3.0.9.rc4 | UNKNOWN | 2011-06-12 - 21:24 | almost 13 years | |
| 3.0.9.rc3 | UNKNOWN | 2011-06-09 - 22:51 | almost 13 years | |
| 3.0.9.rc1 | UNKNOWN | 2011-06-08 - 21:20 | almost 13 years | |
| 3.0.8 | UNKNOWN | 2011-06-08 - 00:17 | almost 13 years | |
| 3.0.8.rc4 | UNKNOWN | 2011-05-31 - 00:08 | almost 13 years | |
| 3.0.8.rc2 | UNKNOWN | 2011-05-27 - 16:32 | almost 13 years | |
| 3.0.8.rc1 | UNKNOWN | 2011-05-26 - 00:12 | almost 13 years | |
| 3.0.7 | UNKNOWN | 2011-04-18 - 21:06 | about 13 years | |
| 3.0.7.rc2 | UNKNOWN | 2011-04-15 - 17:34 | about 13 years | |
| 3.0.7.rc1 | UNKNOWN | 2011-04-14 - 21:57 | about 13 years | |
| 3.0.6 | UNKNOWN | 2011-04-05 - 23:07 | about 13 years | |
| 3.0.6.rc2 | UNKNOWN | 2011-03-31 - 05:29 | about 13 years | |
| 3.0.6.rc1 | UNKNOWN | 2011-03-29 - 20:49 | about 13 years | |
| 3.0.5 | UNKNOWN | 2011-02-27 - 02:31 | about 13 years | |
| 3.0.5.rc1 | UNKNOWN | 2011-02-23 - 19:12 | about 13 years | |
| 3.0.4 | UNKNOWN | 2011-02-08 - 21:18 | over 13 years | |
| 3.0.4.rc1 | UNKNOWN | 2011-01-30 - 23:01 | over 13 years | |
| 3.0.3 | UNKNOWN | 2010-11-16 - 16:28 | over 13 years | |
| 3.0.2 | UNKNOWN | 2010-11-15 - 19:33 | over 13 years | |
| 3.0.1 | UNKNOWN | 2010-10-14 - 20:55 | over 13 years | |
| 3.0.0 | UNKNOWN | 2010-08-29 - 23:11 | over 13 years | |
| 3.0.0.rc2 | UNKNOWN | 2010-08-24 - 03:04 | over 13 years | |
| 3.0.0.rc | UNKNOWN | 2010-07-26 - 21:43 | almost 14 years | |
| 3.0.0.beta4 | UNKNOWN | 2010-06-08 - 22:31 | almost 14 years | |
| 3.0.0.beta3 | UNKNOWN | 2010-04-13 - 19:23 | about 14 years | |
| 3.0.0.beta2 | UNKNOWN | 2010-04-01 - 21:30 | about 14 years |