9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-32224

GHSA ID

GHSA-3hhc-qp5v-9p2j

EPSS Score

0.79392%

CWE

CWE-502

Published

7/12/2022

Updated

2/2/2023

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-32224

CVE-2022-32224: Active Record RCE bug with Serialized Columns

When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.

There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-32224

CVE-2022-32224:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-32224

GHSA ID

GHSA-3hhc-qp5v-9p2j

EPSS Score

0.79392%

CWE

CWE-502

Published

7/12/2022

Updated

2/2/2023

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
activerecord	rubygems	>= 7.0.0, <= 7.0.3	7.0.3.1
activerecord	rubygems	>= 6.1.0, <= 6.1.6	6.1.6.1
activerecord	rubygems	>= 6.0.0, <= 6.0.5	6.0.5.1
activerecord	rubygems	<= 5.2.8	5.2.8.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the YAML deserialization approach in serialized columns. The commit 611990f shows the patched version replaced unsafe_load with safe_load. The original vulnerable implementation in yaml_column.rb directly used unsafe_load, which permits deserialization of potentially dangerous objects. This matches the CWE-502 (Deserialization of Untrusted Data) classification and the advisory's description of RCE risk through manipulated YAML data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-32224: Active Record RCE bug with Serialized Columns

CVE-2022-32224:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

Basic Information

Basic Information

CVE-2022-32224: Active Record RCE bug with Serialized Columns

9.8

9.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-32224: Active Record RCE bug with Serialized Columns

CVE-2022-32224:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2022-32224: Active Record RCE bug with Serialized Columns

9.8

9.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI