{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/active-storage/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Storage"],"_cs_severities":["high"],"_cs_tags":["rails","active storage","path traversal","cve-2026-33195"],"_cs_type":"advisory","_cs_vendors":["Ruby on Rails"],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in the Active Storage component of Ruby on Rails. Specifically, the vulnerability resides within the \u003ccode\u003eDiskService#path_for\u003c/code\u003e method. This method lacks proper validation to ensure that the resolved filesystem path remains within the designated storage root directory. An attacker can exploit this by crafting a blob key containing path traversal sequences, such as \u0026quot;../\u0026quot;, to navigate outside the intended storage area. This can lead to unauthorized access, potentially allowing the reading, writing, or deletion of arbitrary files on the server. This vulnerability particularly impacts applications where user-supplied input is used to construct blob keys. The affected versions are Active Storage versions before 7.2.3.1, versions 8.0.0.beta1 up to 8.0.4.1, and versions 8.1.0.beta1 up to 8.1.2.1. The CVE associated with this vulnerability is CVE-2026-33195.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of Rails Active Storage.\u003c/li\u003e\n\u003cli\u003eThe attacker finds an endpoint where user-controlled input is used as a blob key for Active Storage.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious blob key containing path traversal sequences (e.g., \u0026quot;../../../etc/passwd\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe application uses the attacker-controlled blob key within the \u003ccode\u003eDiskService#path_for\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation, \u003ccode\u003eDiskService#path_for\u003c/code\u003e resolves a file path outside the intended storage directory.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read, write, or delete a file based on the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive files or modifies critical system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution or data exfiltration by leveraging the ability to write to arbitrary files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to read, write, or delete arbitrary files on the server. The number of affected applications is currently unknown, but any application using a vulnerable version of Rails Active Storage and processing user-supplied blob keys is at risk. This can result in complete compromise of the affected server, including data theft, system modification, and denial of service. The severity of the impact depends on the privileges of the Rails application and the sensitivity of the data stored on the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to the latest patched versions of Active Storage: versions \u0026gt;= 7.2.3.1, \u0026gt;= 8.0.4.1, or \u0026gt;= 8.1.2.1 to remediate CVE-2026-33195.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation to sanitize blob keys and prevent path traversal attempts before passing them to \u003ccode\u003eDiskService#path_for\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Rails Active Storage Path Traversal Attempt\u0026quot; to monitor for exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview application code to ensure that user-provided input is not directly used as blob keys without proper sanitization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-rails-active-storage-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-33195) exists in Rails Active Storage's DiskService#path_for, potentially allowing attackers to read, write, or delete arbitrary files on the server by crafting blob keys with path traversal sequences, impacting applications that pass user input as blob keys.","title":"Rails Active Storage Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-rails-active-storage-path-traversal/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Storage"],"_cs_severities":["high"],"_cs_tags":["rails","active_storage","file_deletion","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Rails"],"content_html":"\u003cp\u003eA critical vulnerability exists in Active Storage, a component of the Rails web application framework, affecting versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. The vulnerability, identified as CVE-2026-33202, stems from the \u003ccode\u003eDiskService#delete_prefixed\u003c/code\u003e method's improper handling of glob metacharacters within blob keys. Specifically, the method passes blob keys directly to \u003ccode\u003eDir.glob\u003c/code\u003e without proper escaping. An attacker who can control the input of blob keys, either through direct manipulation or custom generation, can inject glob metacharacters (e.g., *, ?, []) into the key. This allows the attacker to delete unintended files residing within the storage directory, potentially leading to data loss or service disruption. Successful exploitation requires the application to be configured to use the DiskService and the attacker to have a mechanism to influence the blob key.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Rails application utilizing Active Storage and the DiskService.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers or engineers a method to influence the generation or modification of blob keys. This might involve exploiting an existing application vulnerability (e.g., SQL injection) or manipulating application logic.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious blob key containing glob metacharacters (e.g., \u003ccode\u003eevil*key\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application attempts to delete a file using the crafted blob key via \u003ccode\u003eDiskService#delete_prefixed\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDiskService#delete_prefixed\u003c/code\u003e passes the malicious blob key to \u003ccode\u003eDir.glob\u003c/code\u003e without proper escaping.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDir.glob\u003c/code\u003e interprets the glob metacharacters, causing it to match multiple files in the storage directory based on the attacker's crafted pattern. For example, \u003ccode\u003eevil*key\u003c/code\u003e could match \u003ccode\u003eevilfilekey\u003c/code\u003e, \u003ccode\u003eevilotherkey\u003c/code\u003e, etc.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDir.glob\u003c/code\u003e deletes all matching files from the storage directory.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary file deletion, potentially leading to data loss or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to delete arbitrary files within the Active Storage's configured storage directory. This could lead to significant data loss, potentially disrupting application functionality and impacting users. The severity is heightened when sensitive information is stored within the affected directories. Given the wide adoption of Rails, a successful widespread attack could impact a large number of applications across various sectors. The CVSS v3.1 base score for this vulnerability is 9.1 (Critical).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Active Storage versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later to incorporate the patch for CVE-2026-33202.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on blob keys to prevent the injection of glob metacharacters.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for suspicious file deletion activity, particularly within the Active Storage storage directory, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement principle of least privilege on the storage directory to limit the impact of file deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-10T12:00:00Z","date_published":"2024-01-10T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-rails-active-storage-delete/","summary":"A vulnerability in Rails Active Storage allows attackers to delete arbitrary files in the storage directory by exploiting glob metacharacters in blob keys passed to `Dir.glob`.","title":"Rails Active Storage Vulnerability Allows Arbitrary File Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-rails-active-storage-delete/"}],"language":"en","title":"CraftedSignal Threat Feed - Active Storage","version":"https://jsonfeed.org/version/1.1"}