2020-06-22 Rails CVE-2020-8185 and Rack CVE-2020-8184 security issues
Two important security issues affecting Ruby and Rails applications have been discovered:
CVE-2020-8185: An attacker can execute any migrations that are pending for a Rails application running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already ran. You can find more info here. * Fixed versions: rails >= 22.214.171.124
CVE-2020-8184: Percent-encoded cookies can be used to overwrite existing prefixed cookie names. It is possible to forge a secure or host-only cookie prefix in Rack using an arbitrary cookie write by using URL encoding (percent-encoding) on the name of the cookie. This could result in an application (which depends on this prefix to determine if a cookie is safe to process) being manipulated into processing an insecure or cross-origin request.. You can find more info here. * Fixed Versions: rack >= 2.2.3, rack >= 2.1.4
How to patch it
Ruby on Rails applications configure the Gem versions in their own “Gemfile” or “Gemfile.lock”. If you developed your own Ruby on Rails application, we strongly recommend updating both Gems to the fixed versions. You can also use the patches available from the official security announcements.
Bitnami is working to release new versions of the affected applications for all the supported platforms (installers, virtual machines, cloud images, containers and Helm Charts) as soon as the official project updates both Gems. Bitnami solutions affected are Discourse, CanvasLMS, Diaspora, edX, FatFreeCRM, Mattermost, Redmine, OpenProject, Spree, Publify, Ruby Stack (Rails sample application) and the Rails container.
If you have any of these solutions deployed and they have not been updated yet to the latest version, you can use the patches available from the official security announcements.
Do you have more questions? Please post to our community forums so we can help you there.