Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Rails Active Storage has possible glob injection in its DiskService
Vulnerability Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVSS Information
N/A
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Rails 注入漏洞
Vulnerability Description
Rails是美国Rails团队的一套基于Ruby语言的开源Web应用框架。 Rails Active Storage 8.1.2.1之前版本、8.0.4.1之前版本和7.2.3.1之前版本存在注入漏洞,该漏洞源于将blob密钥直接传递给Dir.glob而未转义通配符元字符,可能导致删除存储目录中的意外文件。
CVSS Information
N/A
Vulnerability Type
N/A