Ruby/railties/6.0.0.beta2

Rails internals: application bootup, plugins, generators, and rake tasks.

Repo Link: https://rubygems.org/gems/railties
License: MIT

1 Security Vulnerabilities

Possible Remote Code Execution Exploit in Rails Development Mode

Published date: 2019-03-13

Framework: rails

CVE: 2019-5420

CVSS V3: 9.8

Links:

https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw

There is a possible a possible remote code executing exploit in Rails when in development mode. This vulnerability has been assigned the CVE identifier CVE-2019-5420.

Versions Affected: 6.0.0.X, 5.2.X. Not affected: < 5.2.0 Fixed Versions: 6.0.0.beta3, 5.2.2.1

Impact

With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations.

Workarounds

This issue can be mitigated by specifying a secret key in development mode. In config/environments/development.rb add this:

config.secretkeybase = SecureRandom.hex(64)

Credits

Thanks to ooooooo_q

Affected versions: ["5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.0.0.beta2", "6.0.0.beta1", "5.2.1", "5.2.1.rc1"]

Secure versions: [3.0.0, 3.0.0.beta, 3.0.0.beta2, 3.0.0.beta3, 3.0.0.beta4, 3.0.0.rc, 3.0.0.rc2, 3.0.1, 3.0.10, 3.0.10.rc1, 3.0.11, 3.0.12, 3.0.12.rc1, 3.0.13, 3.0.13.rc1, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.2, 3.0.20, 3.0.3, 3.0.4, 3.0.4.rc1, 3.0.5, 3.0.5.rc1, 3.0.6, 3.0.6.rc1, 3.0.6.rc2, 3.0.7, 3.0.7.rc1, 3.0.7.rc2, 3.0.8, 3.0.8.rc1, 3.0.8.rc2, 3.0.8.rc4, 3.0.9, 3.0.9.rc1, 3.0.9.rc3, 3.0.9.rc4, 3.0.9.rc5, 3.1.0, 3.1.0.beta1, 3.1.0.rc1, 3.1.0.rc2, 3.1.0.rc3, 3.1.0.rc4, 3.1.0.rc5, 3.1.0.rc6, 3.1.0.rc8, 3.1.1, 3.1.1.rc1, 3.1.1.rc2, 3.1.1.rc3, 3.1.10, 3.1.11, 3.1.12, 3.1.2, 3.1.2.rc1, 3.1.2.rc2, 3.1.3, 3.1.4, 3.1.4.rc1, 3.1.5, 3.1.5.rc1, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.0.rc1, 3.2.0.rc2, 3.2.1, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.13.rc1, 3.2.13.rc2, 3.2.14, 3.2.14.rc1, 3.2.14.rc2, 3.2.15, 3.2.15.rc1, 3.2.15.rc2, 3.2.15.rc3, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.2, 3.2.2.rc1, 3.2.20, 3.2.21, 3.2.22, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 3.2.3, 3.2.3.rc1, 3.2.3.rc2, 3.2.4, 3.2.4.rc1, 3.2.5, 3.2.6, 3.2.7, 3.2.7.rc1, 3.2.8, 3.2.8.rc1, 3.2.8.rc2, 3.2.9, 3.2.9.rc1, 3.2.9.rc2, 3.2.9.rc3, 4.0.0, 4.0.0.beta1, 4.0.0.rc1, 4.0.0.rc2, 4.0.1, 4.0.1.rc1, 4.0.1.rc2, 4.0.1.rc3, 4.0.1.rc4, 4.0.10, 4.0.10.rc1, 4.0.10.rc2, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.0.13.rc1, 4.0.2, 4.0.3, 4.0.4, 4.0.4.rc1, 4.0.5, 4.0.6, 4.0.6.rc1, 4.0.6.rc2, 4.0.6.rc3, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.0.beta1, 4.1.0.beta2, 4.1.0.rc1, 4.1.0.rc2, 4.1.1, 4.1.10, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.11, 4.1.12, 4.1.12.rc1, 4.1.13, 4.1.13.rc1, 4.1.14, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15, 4.1.15.rc1, 4.1.16, 4.1.16.rc1, 4.1.2, 4.1.2.rc1, 4.1.2.rc2, 4.1.2.rc3, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.6.rc1, 4.1.6.rc2, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.9.rc1, 4.2.0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.1, 4.2.1.rc1, 4.2.1.rc2, 4.2.1.rc3, 4.2.1.rc4, 4.2.10, 4.2.10.rc1, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.3.rc1, 4.2.4, 4.2.4.rc1, 4.2.5, 4.2.5.1, 4.2.5.2, 4.2.5.rc1, 4.2.5.rc2, 4.2.6, 4.2.6.rc1, 4.2.7, 4.2.7.1, 4.2.7.rc1, 4.2.8, 4.2.8.rc1, 4.2.9, 4.2.9.rc1, 4.2.9.rc2, 5.0.0, 5.0.0.1, 5.0.0.beta1, 5.0.0.beta1.1, 5.0.0.beta2, 5.0.0.beta3, 5.0.0.beta4, 5.0.0.racecar1, 5.0.0.rc1, 5.0.0.rc2, 5.0.1, 5.0.1.rc1, 5.0.1.rc2, 5.0.2, 5.0.2.rc1, 5.0.3, 5.0.4, 5.0.4.rc1, 5.0.5, 5.0.5.rc1, 5.0.5.rc2, 5.0.6, 5.0.6.rc1, 5.0.7, 5.0.7.1, 5.0.7.2, 5.1.0, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.1, 5.1.2, 5.1.2.rc1, 5.1.3, 5.1.3.rc1, 5.1.3.rc2, 5.1.3.rc3, 5.1.4, 5.1.4.rc1, 5.1.5, 5.1.5.rc1, 5.1.6, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.0.beta1, 5.2.0.beta2, 5.2.0.rc1, 5.2.0.rc2, 5.2.2.1, 5.2.3, 5.2.3.rc1, 5.2.4, 5.2.4.1, 5.2.4.2, 5.2.4.3, 5.2.4.4, 5.2.4.5, 5.2.4.6, 5.2.4.rc1, 5.2.5, 5.2.6, 5.2.6.1, 5.2.6.2, 5.2.6.3, 5.2.7, 5.2.7.1, 5.2.8, 5.2.8.1, 6.0.0, 6.0.0.beta3, 6.0.0.rc1, 6.0.0.rc2, 6.0.1, 6.0.1.rc1, 6.0.2, 6.0.2.1, 6.0.2.2, 6.0.2.rc1, 6.0.2.rc2, 6.0.3, 6.0.3.1, 6.0.3.2, 6.0.3.3, 6.0.3.4, 6.0.3.5, 6.0.3.6, 6.0.3.7, 6.0.3.rc1, 6.0.4, 6.0.4.1, 6.0.4.2, 6.0.4.3, 6.0.4.4, 6.0.4.5, 6.0.4.6, 6.0.4.7, 6.0.4.8, 6.0.5, 6.0.5.1, 6.0.6, 6.0.6.1, 6.1.0, 6.1.0.rc1, 6.1.0.rc2, 6.1.1, 6.1.2, 6.1.2.1, 6.1.3, 6.1.3.1, 6.1.3.2, 6.1.4, 6.1.4.1, 6.1.4.2, 6.1.4.3, 6.1.4.4, 6.1.4.5, 6.1.4.6, 6.1.4.7, 6.1.5, 6.1.5.1, 6.1.6, 6.1.6.1, 6.1.7, 6.1.7.1, 6.1.7.10, 6.1.7.2, 6.1.7.3, 6.1.7.4, 6.1.7.5, 6.1.7.6, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.1, 7.0.2, 7.0.2.1, 7.0.2.2, 7.0.2.3, 7.0.2.4, 7.0.3, 7.0.3.1, 7.0.4, 7.0.4.1, 7.0.4.2, 7.0.4.3, 7.0.5, 7.0.5.1, 7.0.6, 7.0.7, 7.0.7.1, 7.0.7.2, 7.0.8, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.1, 7.1.2, 7.1.3, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]

Recommendation: Update to version 8.0.2.

434 Other Versions

Version	License	Security	Released
5.2.0	MIT	2	2018-04-09 - 20:06	over 7 years
5.2.1	MIT	2	2018-08-07 - 21:44	almost 7 years
5.2.1.1	MIT	2	2018-11-27 - 20:14	over 6 years
5.2.1.rc1	MIT	2	2018-07-30 - 20:22	almost 7 years
5.2.2	MIT	2	2018-12-04 - 18:14	over 6 years
6.0.0.beta1	MIT	1	2019-01-18 - 21:24	over 6 years
6.0.0.beta2	MIT	1	2019-02-25 - 22:46	over 6 years
5.2.2.rc1	MIT	2	2018-11-28 - 22:55	over 6 years
5.2.4.2	MIT		2020-03-19 - 16:37	over 5 years
3.2.0	UNKNOWN		2012-01-20 - 16:47	over 13 years
5.2.2.1	MIT		2019-03-13 - 16:54	over 6 years
3.0.6.rc2	UNKNOWN		2011-03-31 - 05:29	over 14 years
3.2.13.rc1	UNKNOWN		2013-02-27 - 20:25	over 12 years
5.2.3.rc1	MIT		2019-03-22 - 03:35	over 6 years
4.1.11	MIT		2015-06-16 - 18:00	about 10 years
3.1.10	UNKNOWN		2013-01-08 - 20:09	over 12 years
5.1.1	MIT		2017-05-12 - 20:11	about 8 years
5.0.4	MIT		2017-06-19 - 21:58	about 8 years
5.0.1	MIT		2016-12-21 - 00:07	over 8 years
4.2.9	MIT		2017-06-26 - 21:30	about 8 years
4.1.10.rc1	MIT		2015-02-20 - 22:24	over 10 years
3.1.2	UNKNOWN		2011-11-18 - 01:33	over 13 years
5.0.0.rc2	MIT		2016-06-22 - 20:03	about 9 years
5.0.0.beta2	MIT		2016-02-01 - 22:06	over 9 years
3.0.19	UNKNOWN		2013-01-08 - 20:08	over 12 years
4.2.8.rc1	MIT		2017-02-10 - 02:46	over 8 years
3.0.7.rc1	UNKNOWN		2011-04-14 - 21:57	about 14 years
4.1.0.beta2	MIT		2014-02-18 - 18:52	over 11 years
6.0.0.rc1	MIT		2019-04-24 - 18:51	about 6 years
4.1.16	MIT		2016-07-12 - 22:20	almost 9 years
5.2.4.rc1	MIT		2019-11-23 - 00:29	over 5 years
3.2.3	UNKNOWN		2012-03-30 - 22:26	over 13 years
3.0.17	UNKNOWN		2012-08-09 - 21:17	almost 13 years
4.2.8	MIT		2017-02-21 - 16:08	over 8 years
4.1.4	MIT		2014-07-02 - 19:53	about 11 years
3.0.13	UNKNOWN		2012-05-31 - 18:25	about 13 years
5.2.0.beta1	MIT		2017-11-27 - 19:19	over 7 years
3.1.11	UNKNOWN		2013-02-11 - 18:17	over 12 years
5.0.6	MIT		2017-09-08 - 00:47	almost 8 years
4.1.10	MIT		2015-03-19 - 16:50	over 10 years
5.0.2	MIT		2017-03-01 - 23:13	over 8 years
3.1.9	UNKNOWN		2013-01-02 - 21:20	over 12 years
5.0.0	MIT		2016-06-30 - 21:32	about 9 years
5.2.4.1	MIT		2019-12-18 - 19:03	over 5 years
5.0.0.rc1	MIT		2016-05-06 - 21:57	about 9 years
3.0.20	UNKNOWN		2013-01-28 - 21:01	over 12 years
3.0.13.rc1	UNKNOWN		2012-05-28 - 19:02	about 13 years
4.1.2.rc1	MIT		2014-05-27 - 16:12	about 11 years
3.0.8.rc4	UNKNOWN		2011-05-31 - 00:08	about 14 years
3.0.8.rc2	UNKNOWN		2011-05-27 - 16:32	about 14 years