Lucene search

K
hackeroneGquadros_H1:1652042
HistoryJul 27, 2022 - 8:03 p.m.

Internet Bug Bounty: CVE-2022-21831: Possible code injection vulnerability in Rails / Active Storage

2022-07-2720:03:32
gquadros_
hackerone.com
$2000
81
internet bug bounty
cve-2022-21831
code injection
vulnerability
rails
active storage
rce
bugbounty

EPSS

0.048

Percentile

92.8%

Original report: https://hackerone.com/reports/1154034
Rails advisory: https://discuss.rubyonrails.org/t/cve-2022-21831-possible-code-injection-vulnerability-in-rails-active-storage/80199
Blogpost: https://blog.convisoappsec.com/en/cve-2022-21831-overview-of-the-security-issues-we-found-in-railss-image-processing-api/

If the report is eligible for a bounty, please split it equally between me and @rsilva, if possible.

Impact

Vulnerable code patterns could allow the attacker to achieve RCE.