CVE-2020-8162 – This vulnerability in Ruby on Rails ActiveStora... (How to Fix)

Q: How do I fix CVE-2020-8162?

1. Update Rails gem to 5.2.4.2 or 6.0.3.1 or later. 2. Run 'bundle update rails'. 3. Restart application server. 4. Verify ActiveStorage configuration still works correctly.

Q: What is the severity of CVE-2020-8162?

CVE-2020-8162 has a CVSS score of 7.5 (HIGH). This vulnerability in Ruby on Rails ActiveStorage's S3 adapter allows attackers to modify the Content-Length header during direct file uploads, bypassing server-side upload size limits. It affects applications using ActiveStorage with S3 direct uploads in Rails versions before 5.2.4.2 and 6.0.3.1. Attackers can upload files larger than intended, potentially exhausting storage resources or uploading malicious content.

📋 TL;DR

This vulnerability in Ruby on Rails ActiveStorage's S3 adapter allows attackers to modify the Content-Length header during direct file uploads, bypassing server-side upload size limits. It affects applications using ActiveStorage with S3 direct uploads in Rails versions before 5.2.4.2 and 6.0.3.1. Attackers can upload files larger than intended, potentially exhausting storage resources or uploading malicious content.

💻 Affected Systems

Products:

Ruby on Rails

Versions: Rails < 5.2.4.2, Rails < 6.0.3.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using ActiveStorage with S3 direct uploads. Other storage adapters or non-direct upload methods are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Storage exhaustion attacks leading to service disruption, unauthorized large file uploads consuming resources, potential for uploading malicious files that bypass size-based filtering.

🟠

Likely Case

Unauthorized large file uploads to S3 buckets, increased storage costs, potential for uploading files that bypass application logic based on file size.

🟢

If Mitigated

Limited impact if upload size limits are enforced elsewhere or if S3 bucket policies restrict upload sizes independently.

🌐 Internet-Facing: HIGH - Direct file upload endpoints are typically internet-facing and this bypasses client-side validation.

🏢 Internal Only: MEDIUM - Internal applications with file upload functionality could still be affected if vulnerable versions are used.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to file upload functionality but is straightforward - modifying Content-Length header in direct upload requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Rails 5.2.4.2, Rails 6.0.3.1

Vendor Advisory: https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ

Restart Required: Yes

Instructions:

1. Update Rails gem to 5.2.4.2 or 6.0.3.1 or later. 2. Run 'bundle update rails'. 3. Restart application server. 4. Verify ActiveStorage configuration still works correctly.

🔧 Temporary Workarounds

Disable S3 Direct Uploads

all

Temporarily disable ActiveStorage S3 direct uploads until patching is possible

Set config.active_storage.direct_uploads = false in config/environments/*.rb

Implement Server-Side Upload Validation

all

Add additional server-side validation for file upload sizes independent of ActiveStorage

🧯 If You Can't Patch

Implement S3 bucket policies to restrict maximum upload size
Use WAF or proxy to validate Content-Length headers before reaching application

🔍 How to Verify

Check if Vulnerable:

Check Rails version with 'rails --version' or in Gemfile.lock. If using ActiveStorage S3 direct uploads and version is <5.2.4.2 or <6.0.3.1, you are vulnerable.

Check Version:

rails --version  OR  grep -A1 "rails" Gemfile.lock

Verify Fix Applied:

Verify Rails version is >=5.2.4.2 or >=6.0.3.1. Test file upload functionality with modified Content-Length headers to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusually large file uploads in ActiveStorage logs
S3 upload requests with modified Content-Length headers
Uploads exceeding configured size limits

Network Indicators:

HTTP requests to ActiveStorage direct upload endpoints with manipulated Content-Length
Large file uploads to S3 from application users

SIEM Query:

source="application.log" AND "ActiveStorage" AND "direct_upload" AND (content_length > [configured_limit] OR "Content-Length modified")

📊 Metadata

CVE ID: CVE-2020-8162

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-602

Published: June 19, 2020

Last Updated: November 21, 2024

🔗 References

https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ Mailing List,Patch,Third Party Advisory
https://hackerone.com/reports/789579 Exploit,Third Party Advisory
https://www.debian.org/security/2020/dsa-4766 Third Party Advisory
https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ Mailing List,Patch,Third Party Advisory
https://hackerone.com/reports/789579 Exploit,Third Party Advisory
https://www.debian.org/security/2020/dsa-4766 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-8162, you might also want to check these: