CVE-2026-33202
Rails Active Storage has possible glob injection in its DiskService
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
Productos afectados
rails · activestorage¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874chttps://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccfhttps://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82https://github.com/rails/rails/releases/tag/v7.2.3.1https://github.com/rails/rails/releases/tag/v8.0.4.1https://github.com/rails/rails/releases/tag/v8.1.2.1https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m