Improper Validation

Affecting activestorage gem, versions <5.2.4.3 || >=6.0.0, <6.0.3.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Improper Validation. Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size.

Remediation

Upgrade activestorage to version 5.2.4.3, 6.0.3.1 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Credit
Unknown
CVE
CVE-2020-8162
CWE
CWE-20
Snyk ID
SNYK-RUBY-ACTIVESTORAGE-569602
Disclosed
19 May, 2020
Published
19 May, 2020