Potential path traversal and code execution vulnerability in tzinfo (CVE-2022-31163)
On Tuesday, a vulnerability in the tzinfo gem was disclosed that affects Rails applications (up to Rails 5). Tzinfo is the library containing time zone information. We recommend to either update the tzinfo gem directly, or update to the new versions of Rails LTS, which include a dependency on the fixed version of tzinfo.
Impact
If an attacker was allowed to set the application to a time zone of their choosing, they could set time zones names of the form "\n../../../payload.rb" which would cause the server to execute a "payload.rb" file.
On Rails 2 and 3, this file also has to be in the load path.
On Rails 4 and 5, the file can be located anywhere, but the application is only vulnerable if it also uses the gem `tzinfo-data`.
This was fixed in tzinfo version 0.3.61 and 1.2.10. These versions are now enforced by Rails LTS.
Note on Rails 2 and 3
An attacker can still perform this attack, if they are able to create arbitrary files of the form
tzinfo/definition/payload.rb
on the load path. Please ensure that you either
- make sure users cannot upload to a directory in the Ruby load path (this is good practice anyways)
- or disallow users from setting arbitrary strings as time zones
Further note on Rails 2
When upgrading Rails 2 using bundler, you might not get a new version of tzinfo. In this case, your app uses a tzinfo version bundled with Rails. This version has been fixed as well.
Best
- the Rails LTS team
|
|
|
|
