5 matches found
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the proxy controller when processing HTTP requests containing a large number of byte ranges in the Range header. An attacker can cause excessive CPU usage by sending requests with...
Glob Injection
Overview Affected versions of this package are vulnerable to Glob Injection via the DiskServicedeleteprefixed function. An attacker can delete unintended files from the storage directory by supplying blob keys containing glob metacharacters that are passed unescaped to Dir.glob. Remediation Upgra...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the Blobs::ProxyController. An attacker can exhaust server memory by sending requests with large or unbounded range headers. Remediation Upgrade activestorage to version 7.2.3.1, 8.0.4.1,...
Improper Handling of Values
Overview Affected versions of this package are vulnerable to Improper Handling of Values in the DirectUploadsController. A malicious direct-upload client can set contenttype flags like identified and analyzed to make a malicious uploaded file appear safe. Remediation Upgrade activestorage to...
Arbitrary Command Injection
Overview Affected versions of this package are vulnerable to Arbitrary Command Injection due to untrusted user input being accepted as transformation methods or parameters. An attacker can execute arbitrary commands on the server by supplying crafted input that circumvents safe defaults. Note: Th...