CVE-2018-16477
Description
A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the content-disposition and content-type parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Active Storage 5.2.0+ for Google Cloud Storage and Disk services allows attackers to modify content-disposition and content-type parameters, enabling inline execution of HTML files and potential access to private signed URLs.
Vulnerability
A bypass vulnerability in Active Storage versions >= 5.2.0 for Google Cloud Storage and Disk services allows an attacker to modify the content-disposition and content-type parameters in signed download URLs [1][2]. This can be used to serve specially crafted HTML files inline, bypassing the expected attachment disposition. Combined with cookie bombing and AppCache manifests, the attacker can gain access to private signed URLs within a specific storage path [2].
Exploitation
An attacker must obtain a signed URL (e.g., by tricking a user or leveraging a legitimate sharing mechanism) and then modify the content-disposition parameter to inline. By uploading a malicious HTML file and manipulating the URL, the attacker can have the file executed in the victim's browser. Further techniques such as cookie bombing and AppCache manifest manipulation can escalate access to other private signed URLs [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML (and potentially JavaScript) in the context of the vulnerable application, leading to cross-site scripting. Additionally, the attacker can access private signed URLs, resulting in unauthorized information disclosure of files stored under the same storage path [1][2].
Mitigation
The vulnerability is fixed in Active Storage version 5.2.1.1, released on 2018-11-30 [2]. Users should upgrade immediately. For Google Cloud Storage users, in addition to upgrading, it is recommended to update existing blobs by running ActiveStorage::Blob.find_each do |blob| blob.send :update_service_metadata end [2]. A monkey-patch workaround for GCS is also provided in the advisory [2]. No workaround is available for Disk service; upgrading is required.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activestorageRubyGems | >= 5.2.0, < 5.2.1.1 | 5.2.1.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7rr7-rcjw-56vjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16477ghsaADVISORY
- groups.google.com/d/msg/rubyonrails-security/3KQRnXDIuLg/mByx5KkqBAAJghsax_refsource_MISCWEB
- weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-releasedghsaWEB
- weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.