A vulnerability classified as critical was found in Ruby on Rails up to 5.2.2.0/6.0.0.beta2 (Programming Language Software). Affected by this vulnerability is an unknown functionality of the component Development Mode. The manipulation with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

The bug was discovered 03/13/2019. The weakness was presented 03/27/2019 (Website). The advisory is shared at groups.google.com. This vulnerability is known as CVE-2019-5420 since 01/04/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 14 days. During that time the estimated underground price was around $0-$5k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 13442 (Ruby on Rails Multiple Security Vulnerabilities).

Upgrading to version 5.2.2.1 or 6.0.0.beta3 eliminates this vulnerability.

See 132551 and 132552 for similar entries.

Productinfo

Type

• Programming Language Software

Name

• Ruby on Rails

Version

• 5.2.0
• 5.2.1
• 5.2.2
• 6.0.0.beta2

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion