QwikSec

Security Database

CVE

CWE

Training

CVE-2019-5420

Published: Mar 27, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

Vendor	Product	Versions
Rails	https://github.com/rails/rails	affected `5.2.2.1` affected `6.0.0.beta3`

Weaknesses (CWE)

References

https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/

x_refsource_CONFIRM

https://groups.google.com/forum/#%21topic/rubyonrails-security/IsQKvDqZdKw

x_refsource_CONFIRM

http://packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html

x_refsource_MISC

exploit

x_refsource_EXPLOIT-DB

FEDORA-2019-1cfe24db5c

vendor-advisory

x_refsource_FEDORA

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.