| Name | rails_activestorage_rce |
| CVE | CVE-2019-5420 |
| Exploit Pack | CANVAS |
| Description | Ruby on Rails Arbitrary Deserialization RCE (CVE-2019-5420) |
| Notes | CVE Name: CVE-2019-5420 VENDOR: Rails NOTES: The vulnerability resides in the ActionStorage component of Ruby on Rails due to insufficient validation on Marshal.load(). This exploit works with Ruby On Rails applications in production, which must be vulnerable to Arbitrary File Disclosure (CVE-2019-5418), configuration files are read in order to obtain the secret_key used to sign the encoded object sent in the URL. IMPORTANT: In the path textfield you need to put a controller vulnerable to CVE-2019-5418. Vulnerable Rails versions: * < 5.2.2.1 * < 5.1.6.2 * < 5.0.7.2 * < 4.2.11.1 Tested on: * Ubuntu 18.10, Rails 5.2.1 Repeatability: Infinite References: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-5420 Date public: 13/03/2019 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |