Circumvention of file size limits in ActiveStorage

2020-05-2615:09:48

Google

osv.dev

0.003 Low

EPSS

Percentile

71.9%

JSON

There is a vulnerability in ActiveStorage’s S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user.

Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1
Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size.

Workarounds

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.

CPENameOperatorVersion
activestorageeq6.0.2
activestorageeq5.2.2.1
activestorageeq6.0.1
activestorageeq6.0.2.rc2
activestorageeq5.2.1.1
activestorageeq5.2.0.rc1
activestorageeq5.2.0.rc2
activestorageeq6.0.3.rc1
activestorageeq5.2.0.beta2
activestorageeq6.0.1.rc1

Name	Operator	Version
activestorage	eq	6.0.2
activestorage	eq	5.2.2.1
activestorage	eq	6.0.1
activestorage	eq	6.0.2.rc2
activestorage	eq	5.2.1.1
activestorage	eq	5.2.0.rc1
activestorage	eq	5.2.0.rc2
activestorage	eq	6.0.3.rc1
activestorage	eq	5.2.0.beta2
activestorage	eq	6.0.1.rc1