[Git][security-tracker-team/security-tracker][master] CVE-2022-32224/rails: reconsider bullseye triage

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Mon May 4 21:27:24 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dde9d0f4 by Sylvain Beucler at 2026-05-04T22:27:17+02:00
CVE-2022-32224/rails: reconsider bullseye triage

The fix does not require ruby-psych >= v4, really warns that v4
behaves differently.

At first glance we should introduce
'config.active_record.use_yaml_unsafe_load' (even if we eventually
decide to set it to 'True' for backward compatibility), so that
end-users may at least protect themselves against the RCE.

Follow-up to:
10b3d6f9ac56ebafd59a82d9a8204e5fa1a1119d [debusine test now removed]
b18f0c329e5a5695beccdd009560f3b419e28b2e

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -397368,13 +397368,14 @@ CVE-2022-32225 (A reflected DOM-Based XSS vulnerability has been discovered in t
 	NOT-FOR-US: Veeam
 CVE-2022-32224 (A possible escalation to RCE vulnerability exists when using YAML seri ...)
 	- rails 2:6.1.6.1+dfsg-1 (bug #1016140)
-	[bullseye] - rails <ignored> (Mitigation is too invasive to backport)
 	NOTE: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
+	NOTE: https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
 	NOTE: Fixed by: https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a (main)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/8ce4bd1be83c08c30c34af4d0f1a726066128176 (v6.1.6.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/d28f278788b599c0a9f6e3ea437c6642eb56f16c (v6.0.5.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/6576aa7bbcf52ebd39853363e29f92b4dd53b6f1 (v5.2.8.1)
-	NOTE: Break compatibility and need ruby-psych (>= 4.0.0)
+	NOTE: "This may introduce backwards compatibility issues with existing data."
+	NOTE: Psych 4.0 redirects 'YAML.load' from 'YAML.unsafe_load' to 'YAML.safe_load'; 'unsafe_load' introduced in 3.3.2.
 CVE-2022-32223 (Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under ce ...)
 	- nodejs <not-affected> (Only affects Windows)
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dll-hijacking-on-windows-high-cve-2022-32223



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dde9d0f4f6aa005a4fdd4aa09689314b2d25c74b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dde9d0f4f6aa005a4fdd4aa09689314b2d25c74b
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260504/bef165ee/attachment.htm>

More information about the debian-security-tracker-commits mailing list