CVE-2022-32224
CRITICAL9.8EPSS 1.9%Active Record RCE bug with Serialized Columns
發布日:2022/7/12修改日:2026/5/11
描述
When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.
受影響套件(2)
- Debian/railsfrom 0, < 2:6.0.3.7+dfsg-2+deb11u5
- RubyGems/activerecord>= 7.0.0, < 7.0.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://github.com/advisories/GHSA-3hhc-qp5v-9p2j
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-32224
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-32224
- PATCHhttps://github.com/rails/rails/commits/main/activerecord
- WEBhttps://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
- WEBhttps://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-32224.yml
- WEBhttps://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
- WEBhttps://lists.debian.org/debian-lts-announce/2026/05/msg00022.html