Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gitlabHttps://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-07517FC0977F2D1E0AFC9909B7E1DE40
HistoryJul 12, 2022 - 12:00 a.m.

RCE bug with Serialized Columns in Active Record

2022-07-1200:00:00
https://gitlab.com/gitlab-org/security-products/gemnasium-db
gitlab.com
18

0.001 Low

EPSS

Percentile

47.4%

JSON

When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.

There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.

Related

cve 1
github 1
ubuntucve 1
githubexploit 1
nessus 6
osv 2
cvelist 1
veracode 1
debiancve 1
prion 1
nvd 1
redhatcve 1
debian 2
gitlab 1
rubygems 1
redhat 3
openvas 1
rocky 1
cve
cve
CVE-2022-32224
2022-12-05 22:15:10
github
github
Active Record RCE bug with Serialized Columns
2022-07-12 19:39:47
ubuntucve
ubuntucve
CVE-2022-32224
2022-12-05 00:00:00
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Activerecord Project Activerecord
2022-07-17 04:09:03
nessus
nessus
openSUSE 15 Security Update : rubygem-activerecord-5.2 (openSUSE-SU-2023:0009-1)
2023-01-12 00:00:00
RHEL 7 / 8 : Satellite 6.11.5 Async Security Update (Critical) (RHSA-2023:1151)
2024-04-28 00:00:00
RHEL 8 : Satellite 6.12.1 Async Security Update (Critical) (RHSA-2023:0261)
2024-04-28 00:00:00
osv
osv
CVE-2022-32224
2022-12-05 22:15:10
Active Record RCE bug with Serialized Columns
2022-07-12 19:39:47
cvelist
cvelist
CVE-2022-32224
2022-12-05 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2022-07-13 10:37:13
debiancve
debiancve
CVE-2022-32224
2022-12-05 22:15:10
prion
prion
Sql injection
2022-12-05 22:15:00
nvd
nvd
CVE-2022-32224
2022-12-05 22:15:10
redhatcve
redhatcve
CVE-2022-32224
2022-07-20 09:43:52
debian
debian
[SECURITY] [DLA 3093-2] rails regression update
2022-09-15 07:58:25
[SECURITY] [DLA 3093-1] rails security update
2022-09-03 11:34:10
gitlab
gitlab
Deserialization of Untrusted Data
2022-12-05 00:00:00
rubygems
rubygems
Possible RCE escalation bug with Serialized Columns in Active Record
2022-07-11 21:00:00
redhat
redhat
(RHSA-2023:1151) Critical: Satellite 6.11.5 Async Security Update
2023-03-07 18:53:49
(RHSA-2023:0261) Critical: Satellite 6.12.1 Async Security Update
2023-01-18 14:49:14
(RHSA-2023:2097) Important: Satellite 6.13 Release
2023-05-03 13:09:51
openvas
openvas
Debian: Security Advisory (DLA-3093-1)
2022-09-04 00:00:00
rocky
rocky
Satellite 6.13 Release
2023-05-05 15:39:58

0.001 Low

EPSS

Percentile

47.4%

JSON
Related for GITLAB-07517FC0977F2D1E0AFC9909B7E1DE40
cve1github1ubuntucve1githubexploit1nessus6osv2cvelist1veracode1debiancve1prion1nvd1redhatcve1debian2gitlab1rubygems1redhat3openvas1rocky1