Vulnerabilites related to rubyonrails - ruby_on_rails
Vulnerability from fkie_nvd
Published
2009-07-10 15:30
Modified
2024-11-21 01:04
Severity ?
Summary
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | ruby_on_rails | * | |
| apple | mac_os_x | * | |
| apple | mac_os_x | 10.5.8 | |
| apple | mac_os_x_server | * | |
| apple | mac_os_x_server | 10.5.8 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "7E594206-CF9B-4C01-947C-79EF74B57416", versionEndExcluding: "2.3.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", matchCriteriaId: "F110744D-9928-4DC1-873E-26B3E1D7CD62", versionEndExcluding: "10.6.3", versionStartIncluding: "10.6.0", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.5.8:*:*:*:*:*:*:*", matchCriteriaId: "1335E35A-D381-4056-9E78-37BC6DF8AD98", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*", matchCriteriaId: "F3611024-49F5-414A-B536-9FA6519856B5", versionEndExcluding: "10.6.3", versionStartIncluding: "10.6.0", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x_server:10.5.8:*:*:*:*:*:*:*", matchCriteriaId: "82B4CD59-9F37-4EF0-BA43-427CFD6E1329", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.", }, { lang: "es", value: "El código de ejemplo para la funcionalidad de autenticación digest (http_authentication.rb) en Ruby on Rails anterior a v2.3.3 define un bloque authenticate_or_request_with_http_digest que devolverá nulo en lugar de falso cuando el usuario no existe, lo cual permite a atacantes dependiendo del contexto eludir la autenticación para aplicaciones que se derivan de este ejemplo mediante el envío de un nombre de usuario no válido sin una contraseña.", }, ], id: "CVE-2009-2422", lastModified: "2024-11-21T01:04:50.073", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: true, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2009-07-10T15:30:00.250", references: [ { source: "cve@mitre.org", tags: [ "Mailing List", ], url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Patch", ], url: "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s", }, { source: "cve@mitre.org", tags: [ "Broken Link", "Vendor Advisory", ], url: "http://secunia.com/advisories/35702", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "http://support.apple.com/kb/HT4077", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest", }, { source: "cve@mitre.org", tags: [ "Broken Link", "Patch", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/35579", }, { source: "cve@mitre.org", tags: [ "Broken Link", "Patch", "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2009/1802", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/51528", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", ], url: "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Vendor Advisory", ], url: "http://secunia.com/advisories/35702", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://support.apple.com/kb/HT4077", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Patch", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/35579", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Patch", "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2009/1802", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/51528", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-04-07 23:59
Modified
2024-11-21 02:47
Severity ?
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", matchCriteriaId: "254884EE-EBA4-45D0-9704-B5CB22569668", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", matchCriteriaId: "5C913A56-959D-44F1-BD89-D246C66D1F09", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5D5BA926-38EE-47BE-9D16-FDCF360A503B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", matchCriteriaId: "18EA25F1-279A-4F1A-883D-C064369F592E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "FD794856-6F30-4ABF-8AE4-720BB75E6F89", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", matchCriteriaId: "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", matchCriteriaId: "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", matchCriteriaId: "767C481D-6616-4CA9-9A9B-C994D9121796", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", matchCriteriaId: "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "CA46B621-125E-497F-B2DE-91C989B25936", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B3239443-2E19-4540-BA0C-05A27E44CB6C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", matchCriteriaId: "104AC9CF-6611-4469-9852-7FDAF4EC7638", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", matchCriteriaId: "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", matchCriteriaId: "A462C151-982E-4A83-A376-025015F40645", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "578CC013-776B-4868-B448-B7ACAF3AF832", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", matchCriteriaId: "C310EA3E-399A-48FD-8DE9-6950E328CF23", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "293B2998-5169-4960-BEC4-21DAC837E32B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*", matchCriteriaId: "FB42A8E7-D273-4CE2-9182-D831D8089BFA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "DB757DFD-BF47-4483-A2C0-DF37F7D10989", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6C375F2-5027-4B55-9112-C5DD2F787E43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", matchCriteriaId: "EAB8D57F-9849-428C-B8E9-D0A1020728BB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", matchCriteriaId: "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "0965BDB6-9644-465C-AA32-9278B2D53197", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", matchCriteriaId: "072EB16D-1325-4869-B156-65E786A834C7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", matchCriteriaId: "847B3C3D-8656-404D-A954-09C159EDC8E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", matchCriteriaId: "65CA2D50-B33C-4088-BDDF-EB964C9A092C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", matchCriteriaId: "CADB5989-5260-4F60-ACF2-BEB6D7F97654", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", matchCriteriaId: "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B86E26CB-2376-4EBC-913C-B354E2D6711B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", matchCriteriaId: "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*", matchCriteriaId: "D5150753-E86D-4859-A046-97B83EAE2C14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", matchCriteriaId: "59C5B869-74FC-4051-A103-A721332B3CF2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*", matchCriteriaId: "F11E9791-7BCE-43E5-A4BA-6449623FE4F9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*", matchCriteriaId: "CE521626-2876-455C-9D99-DB74726DC724", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*", matchCriteriaId: "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*", matchCriteriaId: "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*", matchCriteriaId: "16D3B0EA-49F7-401A-A1D9-437429D33EAD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*", matchCriteriaId: "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FCB08CD7-E9B9-454F-BAF7-96162D177677", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*", matchCriteriaId: "0D3DA0B4-E374-4ED4-8C3B-F723C968666F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*", matchCriteriaId: "B1730A9A-6810-4470-AE6C-A5356D5BFF43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "DBD4FBDC-F05B-4CDD-8928-7122397A7651", versionEndIncluding: "3.2.22.1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*", matchCriteriaId: "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.", }, { lang: "es", value: "Vulnerabilidad de salto directorio en Action View en Ruby on Rails en versiones anteriores a 3.2.22.2 y 4.x en versiones anteriores a 4.1.14.2 permite a atacantes remotos leer archivos arbitrarios aprovechando el uso no restringido del método render de una aplicación y proporcionando un .. (punto punto) en un nombre de ruta. NOTA: esta vulnerabilidad existe por una solución incompleta para CVE-2016-0752.", }, ], id: "CVE-2016-2097", lastModified: "2024-11-21T02:47:47.930", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-04-07T23:59:05.800", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2016/dsa-3509", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/83726", }, { source: "secalert@redhat.com", url: "http://www.securitytracker.com/id/1035122", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2016/dsa-3509", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/83726", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1035122", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-03-19 22:55
Modified
2024-11-21 01:50
Severity ?
Summary
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "DF706143-996C-4120-B620-3EDC977568DF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "43E7F32B-C760-4862-B6DB-C38FB2A9182F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "FD68A034-73A2-4B1A-95DB-19AD3131F775", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2E78C912-E8FF-495F-B922-43C54D1E2180", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "15B72C17-82C3-4930-9227-226C8E64C2E7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "FA59F311-B2B4-40EE-A878-64EF9F41581B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "035B47E9-A395-47D2-9164-A2A2CF878326", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "BDA55D29-C830-45EF-A3B3-BFA9EED88F38", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "0A9356A6-D32A-487C-B743-1DA0D6C42FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "2B3C7616-8631-49AC-979C-4347067059AF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*", matchCriteriaId: "EC487B78-AAEA-4F0E-8C8B-F415013A381E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "6E2DF384-3992-43BF-8A5C-65FA53E9A77C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*", matchCriteriaId: "B7453BE5-91C8-42B2-9F75-FFE4038F29A6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*", matchCriteriaId: "A2FD44EB-E899-4FA8-985E-44B75134DDC6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*", matchCriteriaId: "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*", matchCriteriaId: "4E1C795F-CCAC-47AC-B809-BD5510310011", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "C230384C-A52A-4167-A07D-0E06138EE246", versionEndIncluding: "2.3.17", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*", matchCriteriaId: "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.", }, { lang: "es", value: "El método sanitize_css en lib/action_controller/vendor/html-scanner/html/sanitizer.rb en el componente Action Pack en Ruby on Rails anterior a v2.3.18, v3.0.x y v3.1.x anterior a v3.1.12, y v3.2.x anterior a v3.2.13, no menaja adecuadamente los caracteres \\n (nueva línea), lo que facilita a atacantes remotos llevar a cabo ataques XSS a través de secuencias CSS.", }, ], id: "CVE-2013-1855", lastModified: "2024-11-21T01:50:31.663", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-03-19T22:55:01.027", references: [ { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0698.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "secalert@redhat.com", url: "http://support.apple.com/kb/HT5784", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, { source: "secalert@redhat.com", url: "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0698.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://support.apple.com/kb/HT5784", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2008-11-21 12:00
Modified
2024-11-21 00:53
Severity ?
Summary
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "DF706143-996C-4120-B620-3EDC977568DF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "43E7F32B-C760-4862-B6DB-C38FB2A9182F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "FD68A034-73A2-4B1A-95DB-19AD3131F775", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2E78C912-E8FF-495F-B922-43C54D1E2180", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "15B72C17-82C3-4930-9227-226C8E64C2E7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "FA59F311-B2B4-40EE-A878-64EF9F41581B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "035B47E9-A395-47D2-9164-A2A2CF878326", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "BDA55D29-C830-45EF-A3B3-BFA9EED88F38", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "0A9356A6-D32A-487C-B743-1DA0D6C42FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "2B3C7616-8631-49AC-979C-4347067059AF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*", matchCriteriaId: "EC487B78-AAEA-4F0E-8C8B-F415013A381E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "DA2DB681-506C-40ED-9259-AFD733F6273A", versionEndIncluding: "2.0.4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.", }, { lang: "es", value: "Vulnerabilidad de inyección CRLF en Ruby on Rails anteriores a v2.0.5, permite a atacantes remotos inyectar cabeceras HTTP de su elección y llevar a cabo ataques de división de respuesta HTTP mediante una URL manipulada a la función redirect_to.", }, ], id: "CVE-2008-5189", lastModified: "2024-11-21T00:53:30.897", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2008-11-21T12:00:00.187", references: [ { source: "cve@mitre.org", url: "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d", }, { source: "cve@mitre.org", url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing", }, { source: "cve@mitre.org", url: "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://www.securityfocus.com/bid/32359", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.securityfocus.com/bid/32359", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-04-22 03:27
Modified
2024-11-21 01:53
Severity ?
Summary
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "6E2DF384-3992-43BF-8A5C-65FA53E9A77C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*", matchCriteriaId: "B7453BE5-91C8-42B2-9F75-FFE4038F29A6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*", matchCriteriaId: "A2FD44EB-E899-4FA8-985E-44B75134DDC6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*", matchCriteriaId: "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*", matchCriteriaId: "4E1C795F-CCAC-47AC-B809-BD5510310011", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database.", }, { lang: "es", value: "El componente Active Record en Ruby on Rails 2.3.x, 3.0.x, 3.1.x, y 3.2.x, no asegura que el tipo de dato declarado de una columna de la base de datos sea usado durante la comparación con los valores de entrada almacenados en dicha columna, lo que facilita a atacantes remotos a llevar a cabo ataques de inyección de tipos de datos (data-types) contra las aplicaciones de Ruby on Rails a través de un valor manipulado, como se ha demostrado mediante una transacción entre la característica \"typed XML\" y la base de datos de MySQL.", }, ], id: "CVE-2013-3221", lastModified: "2024-11-21T01:53:12.260", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-04-22T03:27:13.363", references: [ { source: "cve@mitre.org", url: "http://openwall.com/lists/oss-security/2013/02/06/7", }, { source: "cve@mitre.org", url: "http://openwall.com/lists/oss-security/2013/04/24/7", }, { source: "cve@mitre.org", url: "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.phenoelit.org/blog/archives/2013/02/index.html", }, { source: "cve@mitre.org", url: "https://gist.github.com/dakull/5442275", }, { source: "cve@mitre.org", url: "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2013/02/06/7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2013/04/24/7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.phenoelit.org/blog/archives/2013/02/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://gist.github.com/dakull/5442275", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-06-22 14:55
Modified
2024-11-21 01:39
Severity ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2694.", }, { lang: "es", value: "actionpack/lib/action_dispatch/http/request.rb en Ruby on Rails antes de v3.0.13, v3.1.x antes de v3.1.5 y v3.2.x antes de v3.2.4 no tienen debidamente en cuenta las diferencias en el manejo de parámetros entre el componente Active Record y la interfaz Rack, lo que permite a atacantes remotos evitar las restricciones de consulta de bases de datos y realizar comprobaciones de nulos a través de una solicitud hecha a mano, por ejemplo con valores \"[nil]\". Se trata de un problema relacionado con el CVE-2012-2694.", }, ], id: "CVE-2012-2660", lastModified: "2024-11-21T01:39:23.550", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2012-06-22T14:55:01.020", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", tags: [ "Exploit", ], url: "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-264", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2024-11-21 02:42
Severity ?
Summary
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", matchCriteriaId: "254884EE-EBA4-45D0-9704-B5CB22569668", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", matchCriteriaId: "5C913A56-959D-44F1-BD89-D246C66D1F09", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5D5BA926-38EE-47BE-9D16-FDCF360A503B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", matchCriteriaId: "18EA25F1-279A-4F1A-883D-C064369F592E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "FD794856-6F30-4ABF-8AE4-720BB75E6F89", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", matchCriteriaId: "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", matchCriteriaId: "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", matchCriteriaId: "767C481D-6616-4CA9-9A9B-C994D9121796", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", matchCriteriaId: "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "CA46B621-125E-497F-B2DE-91C989B25936", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B3239443-2E19-4540-BA0C-05A27E44CB6C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", matchCriteriaId: "104AC9CF-6611-4469-9852-7FDAF4EC7638", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", matchCriteriaId: "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", matchCriteriaId: "A462C151-982E-4A83-A376-025015F40645", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*", matchCriteriaId: "660C2AD2-CEC8-4391-84AF-27515A88B29E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "578CC013-776B-4868-B448-B7ACAF3AF832", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", matchCriteriaId: "C310EA3E-399A-48FD-8DE9-6950E328CF23", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "293B2998-5169-4960-BEC4-21DAC837E32B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", matchCriteriaId: "EAB8D57F-9849-428C-B8E9-D0A1020728BB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", matchCriteriaId: "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "0965BDB6-9644-465C-AA32-9278B2D53197", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", matchCriteriaId: "072EB16D-1325-4869-B156-65E786A834C7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", matchCriteriaId: "847B3C3D-8656-404D-A954-09C159EDC8E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", matchCriteriaId: "65CA2D50-B33C-4088-BDDF-EB964C9A092C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", matchCriteriaId: "CADB5989-5260-4F60-ACF2-BEB6D7F97654", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", matchCriteriaId: "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", matchCriteriaId: "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", matchCriteriaId: "59C5B869-74FC-4051-A103-A721332B3CF2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*", matchCriteriaId: "7C31EBD2-CD2D-4D38-AA51-A5A56487939A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*", matchCriteriaId: "33FBD4E4-0BCD-49E1-BA84-86621B7C4556", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*", matchCriteriaId: "83D1EB17-EE67-48E5-B637-AA9A75D397F6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*", matchCriteriaId: "A2B1711A-5541-412C-A5A0-274CEAB9E387", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", matchCriteriaId: "709A19A5-8FD1-4F9C-A38C-F06242A94D68", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", matchCriteriaId: "8104482C-E8F5-40A7-8B27-234FEF725FD0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", matchCriteriaId: "2CFF8677-EA00-4F7E-BFF9-272482206DB5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*", matchCriteriaId: "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "85435026-9855-4BF4-A436-832628B005FD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56C2308F-A590-47B0-9791-7865D189196F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*", matchCriteriaId: "9A266882-DABA-4A4C-88E6-60E993EE0947", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", matchCriteriaId: "83F1142C-3BFB-4B72-A033-81E20DB19D02", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*", matchCriteriaId: "1FA738A1-227B-4665-B65E-666883FFAE96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*", matchCriteriaId: "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*", matchCriteriaId: "10789A2D-6401-4119-BFBE-2EE4C16216D3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*", matchCriteriaId: "70ABD462-7142-4831-8EB6-801EC1D05573", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*", matchCriteriaId: "81D717DB-7C80-48AA-A774-E291D2E75D6E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*", matchCriteriaId: "06B357FB-0307-4EFA-9C5B-3C2CDEA48584", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "E4BD8840-0F1C-49D3-B843-9CFE64948018", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*", matchCriteriaId: "79D5B492-43F9-470F-BD21-6EFD93E78453", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "4EC1F602-D48C-458A-A063-4050BE3BB25F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*", matchCriteriaId: "F6A1C015-56AD-489C-B301-68CF1DBF1BEF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*", matchCriteriaId: "FD191625-ACE2-46B6-9AAD-12D682C732C2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*", matchCriteriaId: "02C7DB56-267B-4057-A9BA-36D1E58C6282", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*", matchCriteriaId: "AF8F94CF-D504-4165-A69E-3F1198CB162A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "4C068362-0D49-4117-BC96-780AA802CE4E", versionEndIncluding: "3.2.22", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*", matchCriteriaId: "9C8E749B-2908-442A-99F0-91E2772336ED", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*", matchCriteriaId: "9E43D2D7-89AE-4805-9732-F1C601D8D8B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "5F3D8911-060D-435D-ACA2-E29271170CAA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*", matchCriteriaId: "EA7A4939-16CF-450D-846A-75B231E32D61", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*", matchCriteriaId: "C964D4A2-3F39-4CC7-A028-B42C94DDB56F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*", matchCriteriaId: "23FD6D82-9A14-4BD4-AA00-1875F0962ACE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.", }, { lang: "es", value: "actionpack/lib/action_dispatch/http/mime_type.rb en Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no restringe adecuadamente el uso de la caché de tipo MIME, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de una cabecera HTTP Accept manipulada.", }, ], id: "CVE-2016-0751", lastModified: "2024-11-21T02:42:18.350", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-02-16T02:59:05.877", references: [ { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2016/dsa-3464", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2016/01/25/9", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/81800", }, { source: "secalert@redhat.com", url: "http://www.securitytracker.com/id/1034816", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2016/dsa-3464", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2016/01/25/9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/81800", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1034816", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-399", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-08-10 10:34
Modified
2024-11-21 01:40
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "DF706143-996C-4120-B620-3EDC977568DF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "43E7F32B-C760-4862-B6DB-C38FB2A9182F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "FD68A034-73A2-4B1A-95DB-19AD3131F775", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2E78C912-E8FF-495F-B922-43C54D1E2180", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "15B72C17-82C3-4930-9227-226C8E64C2E7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "FA59F311-B2B4-40EE-A878-64EF9F41581B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "035B47E9-A395-47D2-9164-A2A2CF878326", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "BDA55D29-C830-45EF-A3B3-BFA9EED88F38", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "0A9356A6-D32A-487C-B743-1DA0D6C42FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "2B3C7616-8631-49AC-979C-4347067059AF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*", matchCriteriaId: "EC487B78-AAEA-4F0E-8C8B-F415013A381E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "E3BBBE2A-2BDA-4930-8E26-A1E3C6575F81", versionEndIncluding: "3.0.16", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.", }, { lang: "es", value: "Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails anteriores a v3.0.17, v3.1.x anteriores a v3.1.8, y 3.2.x anteriores a v3.2.8, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores que implican el caracter ' (comilla).", }, ], id: "CVE-2012-3464", lastModified: "2024-11-21T01:40:55.840", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2012-08-10T10:34:47.890", references: [ { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/50694", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { source: "secalert@redhat.com", url: "https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/50694", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2011-11-28 11:55
Modified
2024-11-21 01:32
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: false, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an \"html\" substring.", }, { lang: "es", value: "Una vulnerabilidad de ejecución de comandos en sitios cruzados en el método de ayuda de las traducciones i18n en Ruby on Rails v3.0.x antes de v3.0.11 y v3.1.x antes de v3.1.2 y el complemento rails_xss en Ruby on Rails v2.3.x, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores relacionados con una cadena de traducciones cuyo nombre termina con la subcadena \"html\".", }, ], id: "CVE-2011-4319", lastModified: "2024-11-21T01:32:13.767", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2011-11-28T11:55:09.127", references: [ { source: "secalert@redhat.com", url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1", }, { source: "secalert@redhat.com", url: "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "http://openwall.com/lists/oss-security/2011/11/18/8", }, { source: "secalert@redhat.com", url: "http://osvdb.org/77199", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/50722", }, { source: "secalert@redhat.com", url: "http://www.securitytracker.com/id?1026342", }, { source: "secalert@redhat.com", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2011/11/18/8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://osvdb.org/77199", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/50722", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id?1026342", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-03-13 10:55
Modified
2024-11-21 01:36
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.", }, { lang: "es", value: "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en actionpack/lib/action_view/helpers/form_options_helper.rb en \"select helper\" de Ruby on Rails 3.0.x anteriores a 3.0.12, 3.1.x anteriores a 3.1.4, y 3.2.x anteriores a 3.2.2 permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de vectores que involucran la generación de elementos OPTION dentro de elementos SELECT.", }, ], id: "CVE-2012-1099", lastModified: "2024-11-21T01:36:25.073", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2012-03-13T10:55:01.260", references: [ { source: "secalert@redhat.com", url: "http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2012/dsa-2466", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { source: "secalert@redhat.com", url: "https://bugzilla.redhat.com/show_bug.cgi?id=799276", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2012/dsa-2466", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://bugzilla.redhat.com/show_bug.cgi?id=799276", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2024-11-21 01:29
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.", }, { lang: "es", value: "Vulnerabilidad de ejecución de secuencias comandos en sitios cruzados (XSS) en strip_tags de actionpack/lib/action_controller/vendor/html-scanner/html/node.rb en Ruby on Rails v2.x antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5 permite a atacantes remotos ejecutar secuencias de comandos web o HTML a través una etiqueta con un nombre no válido.", }, ], id: "CVE-2011-2931", lastModified: "2024-11-21T01:29:18.147", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2011-08-29T18:55:01.503", references: [ { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/45921", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2011/dsa-2301", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731436", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/45921", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2011/dsa-2301", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731436", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-01-04 04:46
Modified
2024-11-21 01:46
Severity ?
Summary
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "53AE7CCA-1E57-4925-A025-F1BBFCE70272", versionEndIncluding: "3.0.17", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.", }, { lang: "es", value: "Vulnerabilidad de inyección SQL en el componente Active Record en Ruby on Rails antes de v3.0.18, v3.1.x antes de v3.1.9, y v3.2.x antes de v3.2.10, permite a atacantes remotos ejecutar comandos SQL a través de una solicitud modificada que aprovecha el comportamiento incorrecto de buscadores dinámicos en aplicaciones que pueden utilizar los tipos de datos inesperados en ciertas llamadas al método find_by_.", }, ], id: "CVE-2012-6496", lastModified: "2024-11-21T01:46:12.500", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-01-04T04:46:02.947", references: [ { source: "cve@mitre.org", url: "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/", }, { source: "cve@mitre.org", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "cve@mitre.org", url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { source: "cve@mitre.org", url: "http://rhn.redhat.com/errata/RHSA-2013-0220.html", }, { source: "cve@mitre.org", url: "http://rhn.redhat.com/errata/RHSA-2013-0544.html", }, { source: "cve@mitre.org", url: "http://security.gentoo.org/glsa/glsa-201401-22.xml", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/57084", }, { source: "cve@mitre.org", tags: [ "Exploit", "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=889649", }, { source: "cve@mitre.org", url: "https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0220.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0544.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://security.gentoo.org/glsa/glsa-201401-22.xml", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/57084", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=889649", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2024-11-21 01:29
Severity ?
Summary
The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability."
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a \"filter skipping vulnerability.\"", }, { lang: "es", value: "La funcionalidad de selección de plantilla en actionpack/lib/action_view/template/resolver.rb en Ruby sobre Rails 3.0.x anterior a v3.0.10 y v3.1.x anterior a v3.1.0.rc6 no maneja adecuadamente caracteres glob, lo que permite a atacantes remotos renderizar vistas de su elección a través de una URL manipulada, relacionada con una vulnerabilidad \"filter skipping\".", }, ], id: "CVE-2011-2929", lastModified: "2024-11-21T01:29:17.813", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2011-08-29T18:55:01.393", references: [ { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731432", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731432", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2024-11-21 01:29
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a \"UTF-8 escaping vulnerability.\"", }, { lang: "es", value: "Vulnerabilidad de ejecución de secuencias comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails v2.x antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5 permite a atacantes remotos ejecutar secuencias de comandos web o HTML a través de cadenas Unicode malformadas, relacionado con una \"vulnerabilidad de escapado UTF-8\"", }, ], id: "CVE-2011-2932", lastModified: "2024-11-21T01:29:18.313", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2011-08-29T18:55:01.567", references: [ { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/45917", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731435", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/45917", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731435", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-12-07 00:55
Modified
2024-11-21 01:55
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*", matchCriteriaId: "1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF", versionEndIncluding: "4.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*", matchCriteriaId: "75842F7D-B1B1-48BA-858F-01148867B3AA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "38F53FB7-A292-4273-BFBE-E231235E845D", versionEndIncluding: "3.2.15", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*", matchCriteriaId: "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*", matchCriteriaId: "A325F57E-0055-4279-9ED7-A26E75FC38E5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*", matchCriteriaId: "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*", matchCriteriaId: "991F368C-CEB5-4DE6-A7EE-C341F358A4CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*", matchCriteriaId: "01DB164E-E08E-4649-84BD-15B4159A3AA0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*", matchCriteriaId: "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.", }, { lang: "es", value: "Vulnerabilidad de cross-site scripting (XSS) en actionpack/lib/action_view/helpers/translation_helper.rb en el componente internationalization en Ruby on Rails 3.x anteriores a 3.2.16 y 4.x anteriores a 4.0.2 permite a atacantes remotos inyectar scripts web o HTML arbitrarios a través de cadenas de texto manipuladas que activan la generación de una cadena de fallback en la gema i18n.", }, ], id: "CVE-2013-4491", lastModified: "2024-11-21T01:55:40.540", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2013-12-07T00:55:03.553", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/57836", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2014/dsa-2888", }, { source: "secalert@redhat.com", url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/64076", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2013-4491", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/57836", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2014/dsa-2888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/64076", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2013-4491", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-03-19 22:55
Modified
2024-11-21 01:50
Severity ?
Summary
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*", matchCriteriaId: "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.", }, { lang: "es", value: "El backend ActiveSupport::XmlMini_JDOM en lib/active_support/xml_mini/jdom.rb en el componente Active Support en Ruby on Rails v3.0.x y 3.1.x anterior a v3.1.12 y v3.2.x anterior a v3.2.13, cuando se usa JRuby, no restringe adecuadamente las capacidades del validador XML, lo que permite a atacantes remotos leer archivos de su elección o provocar una denegación de servicio (consumo de recursos) a través de vectores que involucran (1) una TDT externa o (2) una declaración de entidad externa junto con una referencia a una entidad.", }, ], id: "CVE-2013-1856", lastModified: "2024-11-21T01:50:31.833", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-03-19T22:55:01.070", references: [ { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { source: "secalert@redhat.com", url: "http://support.apple.com/kb/HT5784", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, { source: "secalert@redhat.com", url: "https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://support.apple.com/kb/HT5784", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-06-22 14:55
Modified
2024-11-21 01:39
Severity ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "8F046DC2-971A-46E6-A61B-AD39B954D634", versionEndIncluding: "3.0.13", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"['xyz', nil]\" values, a related issue to CVE-2012-2660.", }, { lang: "es", value: "actionpack/lib/action_dispatch/http/request.rb en Ruby on Rails antes de la version v3.0.14, en la v3.1.x antes de v3.1.6 y v3.2.x antes de v 3.2.6 no considera adecuadamente las diferencias en el manejo de parámetros entre el componente Active Record y la interfaz Rack, lo que permite a atacantes remotos evitar las restricciones de consulta de bases de datos y realizar comprobaciones de nulos a través de solicitudes hechas a mano, por ejemplo con los valores \"['xyz', nil]\". Es un problema relacionado con el CVE-2012-2660.", }, ], id: "CVE-2012-2694", lastModified: "2024-11-21T01:39:27.720", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2012-06-22T14:55:01.097", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", tags: [ "Exploit", ], url: "https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-264", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-01-30 12:00
Modified
2024-11-21 01:47
Severity ?
Summary
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "6E2DF384-3992-43BF-8A5C-65FA53E9A77C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*", matchCriteriaId: "B7453BE5-91C8-42B2-9F75-FFE4038F29A6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*", matchCriteriaId: "A2FD44EB-E899-4FA8-985E-44B75134DDC6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*", matchCriteriaId: "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.", }, { lang: "es", value: "lib/active_support/json/backends/yaml.rb en Ruby on Rails v2.3.x anterior a v2.3.16 y v3.0.x anterior a v3.0.20 no convierte correctamente los datos de tipo JSON a datos YAML para el procesamiento por el analizador YAML, lo cual permite a atacantes remotos ejecutar código arbitrario, conducir ataques de inyección SQL, o saltare la autentificación a través de la modificación de datos que disparan una descodificación insegura, esta vulnerabilidad es diferente a CVE-2013-0156.", }, ], id: "CVE-2013-0333", lastModified: "2024-11-21T01:47:19.573", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-01-30T12:00:08.930", references: [ { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0201.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0202.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0203.html", }, { source: "secalert@redhat.com", url: "http://support.apple.com/kb/HT5784", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2013/dsa-2613", }, { source: "secalert@redhat.com", tags: [ "US Government Resource", ], url: "http://www.kb.cert.org/vuls/id/628463", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2013-0333", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0201.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0202.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0203.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://support.apple.com/kb/HT5784", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2013/dsa-2613", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "US Government Resource", ], url: "http://www.kb.cert.org/vuls/id/628463", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2013-0333", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-06-22 14:55
Modified
2024-11-21 01:39
Severity ?
Summary
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.", }, { lang: "es", value: "El componente Active Record en Ruby on Rails v3.0.x antes de v3.0.13, v3.1.x antes de v3.1.5 y v3.2.x antes de 3.2.4 no implementan correctamente el paso de los datos de la solicitud a un método 'where' en la clase ActiveRecord, lo que permite a atacantes remotos llevar a cabo determinados ataques de inyección SQL a través de parámetros de consulta anidadas que se aprovechan de una recursividad no deseada. Se trata de un problema relacionado con el CVE-2012-2695.", }, ], id: "CVE-2012-2661", lastModified: "2024-11-21T01:39:23.693", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2012-06-22T14:55:01.067", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", tags: [ "Exploit", ], url: "https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2008-09-30 17:22
Modified
2024-11-21 00:50
Severity ?
Summary
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "DF706143-996C-4120-B620-3EDC977568DF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "43E7F32B-C760-4862-B6DB-C38FB2A9182F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "FD68A034-73A2-4B1A-95DB-19AD3131F775", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2E78C912-E8FF-495F-B922-43C54D1E2180", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "15B72C17-82C3-4930-9227-226C8E64C2E7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "FA59F311-B2B4-40EE-A878-64EF9F41581B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "035B47E9-A395-47D2-9164-A2A2CF878326", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "BDA55D29-C830-45EF-A3B3-BFA9EED88F38", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "0A9356A6-D32A-487C-B743-1DA0D6C42FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "2B3C7616-8631-49AC-979C-4347067059AF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*", matchCriteriaId: "EC487B78-AAEA-4F0E-8C8B-F415013A381E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "9CE42D86-A8FE-493F-9AB6-4E032E9294FF", versionEndIncluding: "2.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.", }, { lang: "es", value: "\"Múltiples vulnerabilidades de inyección SQL en Ruby on Rails anterior a versión 2.1.1, permiten a los atacantes remotos ejecutar comandos SQL arbitrarios por medio de los parámetros (1): limit y (2): offset, relacionados con ActiveRecord, ActiveSupport, ActiveResource, ActionPack y ActionMailer.", }, ], id: "CVE-2008-4094", lastModified: "2024-11-21T00:50:52.997", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2008-09-30T17:22:09.147", references: [ { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1", }, { source: "cve@mitre.org", url: "http://gist.github.com/8946", }, { source: "cve@mitre.org", url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://rails.lighthouseapp.com/projects/8994/tickets/288", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://rails.lighthouseapp.com/projects/8994/tickets/964", }, { source: "cve@mitre.org", tags: [ "Exploit", "Vendor Advisory", ], url: "http://secunia.com/advisories/31875", }, { source: "cve@mitre.org", tags: [ "Exploit", "Vendor Advisory", ], url: "http://secunia.com/advisories/31909", }, { source: "cve@mitre.org", tags: [ "Exploit", "Vendor Advisory", ], url: "http://secunia.com/advisories/31910", }, { source: "cve@mitre.org", url: "http://www.openwall.com/lists/oss-security/2008/09/13/2", }, { source: "cve@mitre.org", url: "http://www.openwall.com/lists/oss-security/2008/09/16/1", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/31176", }, { source: "cve@mitre.org", url: "http://www.securitytracker.com/id?1020871", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2008/2562", }, { source: "cve@mitre.org", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://gist.github.com/8946", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://rails.lighthouseapp.com/projects/8994/tickets/288", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://rails.lighthouseapp.com/projects/8994/tickets/964", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "http://secunia.com/advisories/31875", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "http://secunia.com/advisories/31909", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "http://secunia.com/advisories/31910", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2008/09/13/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2008/09/16/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/31176", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id?1020871", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2008/2562", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-01-13 22:55
Modified
2024-11-21 01:46
Severity ?
Summary
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | ruby_on_rails | * | |
| rubyonrails | ruby_on_rails | * | |
| rubyonrails | ruby_on_rails | * | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", matchCriteriaId: "DF1D9248-14D7-4EA2-B416-D76FBA64E329", versionEndExcluding: "3.2.11", versionStartIncluding: "3.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "B28BEC17-EF03-4790-ACB3-89F615269803", versionEndExcluding: "2.3.15", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "BC513BC8-F945-46A9-A63F-22585232DAE8", versionEndExcluding: "3.0.19", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "08C05EBE-B0D8-48F5-8C69-5801000189BA", versionEndExcluding: "3.1.10", versionStartIncluding: "3.1.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "036E8A89-7A16-411F-9D31-676313BB7244", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "16F59A04-14CF-49E2-9973-645477EA09DA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.", }, { lang: "es", value: "active_support/core_ext/hash/conversions.rb en Ruby on Rails anterior a v2.3.15, v3.0.x anterior a v3.0.19, v3.1.x anterior a v3.1.10, y v3.2.x anterior a v3.2.11 no restringe adecuadamente el \"casting\" de las variables de tipo cadena, lo que permite a atacantes remotos llevar a cabo ataques de inyección de objetos y la ejecución de código arbitrario o provocar una denegación de servicio (consumo de memoria y CPU) involucrando a referencias de entidades XML anidadas, aprovechando el soporte de Action Pack para lso tipos de conversion (1) YAML o (2) Symbol.", }, ], id: "CVE-2013-0156", lastModified: "2024-11-21T01:46:57.547", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-01-13T22:55:00.947", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "US Government Resource", ], url: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0153.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://www.debian.org/security/2013/dsa-2604", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://www.insinuator.net/2013/01/rails-yaml/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "US Government Resource", ], url: "http://www.kb.cert.org/vuls/id/380039", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "US Government Resource", ], url: "http://www.kb.cert.org/vuls/id/628463", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://puppet.com/security/cve/cve-2013-0156", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0153.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.debian.org/security/2013/dsa-2604", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.insinuator.net/2013/01/rails-yaml/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "http://www.kb.cert.org/vuls/id/380039", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "http://www.kb.cert.org/vuls/id/628463", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://puppet.com/security/cve/cve-2013-0156", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-29 16:29
Modified
2024-11-21 03:18
Severity ?
Summary
SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | ruby_on_rails | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "F46C1792-F008-4AF6-A46D-1E2B262EC13F", versionEndIncluding: "5.1.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [ { sourceIdentifier: "cve@mitre.org", tags: [ "disputed", ], }, ], descriptions: [ { lang: "en", value: "SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input", }, { lang: "es", value: "**EN DISPUTA** Vulnerabilidad de inyección SQL en el método \"order\" en Ruby on Rails 5.1.4 y anteriores permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro \"id desc\". NOTA: El fabricante rechaza este problema porque la documentación indica que este método no esta destinado a utilizarse con datos de entrada no fiables.", }, ], id: "CVE-2017-17919", lastModified: "2024-11-21T03:18:58.603", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2017-12-29T16:29:00.297", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-89", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2012-08-10 10:34
Modified
2024-11-21 01:40
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "DF706143-996C-4120-B620-3EDC977568DF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "43E7F32B-C760-4862-B6DB-C38FB2A9182F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "FD68A034-73A2-4B1A-95DB-19AD3131F775", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2E78C912-E8FF-495F-B922-43C54D1E2180", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "15B72C17-82C3-4930-9227-226C8E64C2E7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "FA59F311-B2B4-40EE-A878-64EF9F41581B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "035B47E9-A395-47D2-9164-A2A2CF878326", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "BDA55D29-C830-45EF-A3B3-BFA9EED88F38", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "0A9356A6-D32A-487C-B743-1DA0D6C42FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "2B3C7616-8631-49AC-979C-4347067059AF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*", matchCriteriaId: "EC487B78-AAEA-4F0E-8C8B-F415013A381E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "E3BBBE2A-2BDA-4930-8E26-A1E3C6575F81", versionEndIncluding: "3.0.16", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.", }, { lang: "es", value: "Cross-site scripting (XSS) en actionpack/lib/action_view/helpers/sanitize_helper.rb en el (helper) strip_tags en Ruby on Rails anterior a v3.0.17, v3.1.x anterior a v3.1.8, y v3.2.x anterio a v3.2.8 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de código HTML con formato incorrecto.", }, ], id: "CVE-2012-3465", lastModified: "2024-11-21T01:40:55.987", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2012-08-10T10:34:47.937", references: [ { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/50694", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { source: "secalert@redhat.com", url: "https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/50694", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-29 16:29
Modified
2024-11-21 03:18
Severity ?
Summary
SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | ruby_on_rails | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "F46C1792-F008-4AF6-A46D-1E2B262EC13F", versionEndIncluding: "5.1.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [ { sourceIdentifier: "cve@mitre.org", tags: [ "disputed", ], }, ], descriptions: [ { lang: "en", value: "SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input", }, { lang: "es", value: "** EN DISPUTA ** La vulnerabilidad de inyección SQL en el método 'reorder' de Ruby on Rails 5.1.4 y anteriores permite a los atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro 'name'. NOTA: El proveedor no está de acuerdo con este punto porque la documentación indica que este método no está diseñado para ser utilizado con datos no confiables.", }, ], id: "CVE-2017-17920", lastModified: "2024-11-21T03:18:58.820", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-29T16:29:00.343", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2006-08-14 21:04
Modified
2024-11-21 00:15
Severity ?
Summary
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 0.9.1 | |
| rubyonrails | rails | 0.9.2 | |
| rubyonrails | rails | 0.9.3 | |
| rubyonrails | rails | 0.9.4 | |
| rubyonrails | rails | 0.9.4.1 | |
| rubyonrails | rails | 0.10.0 | |
| rubyonrails | rails | 0.10.1 | |
| rubyonrails | rails | 0.11.0 | |
| rubyonrails | rails | 0.11.1 | |
| rubyonrails | rails | 0.12.0 | |
| rubyonrails | rails | 0.12.1 | |
| rubyonrails | rails | 0.13.0 | |
| rubyonrails | rails | 0.13.1 | |
| rubyonrails | rails | 0.14.1 | |
| rubyonrails | rails | 0.14.2 | |
| rubyonrails | rails | 0.14.3 | |
| rubyonrails | rails | 0.14.4 | |
| rubyonrails | rails | 1.0.0 | |
| rubyonrails | rails | 1.1.0 | |
| rubyonrails | rails | 1.1.1 | |
| rubyonrails | rails | 1.1.2 | |
| rubyonrails | rails | 1.1.3 | |
| rubyonrails | ruby_on_rails | * | |
| rubyonrails | ruby_on_rails | 0.5.0 | |
| rubyonrails | ruby_on_rails | 0.5.5 | |
| rubyonrails | ruby_on_rails | 0.5.6 | |
| rubyonrails | ruby_on_rails | 0.5.7 | |
| rubyonrails | ruby_on_rails | 0.6.0 | |
| rubyonrails | ruby_on_rails | 0.6.5 | |
| rubyonrails | ruby_on_rails | 0.7.0 | |
| rubyonrails | ruby_on_rails | 0.8.0 | |
| rubyonrails | ruby_on_rails | 0.8.5 | |
| rubyonrails | ruby_on_rails | 0.9.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "81365A89-D8F1-435A-B13B-C746C9FDCE67", versionEndIncluding: "1.1.4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with \"severe\" or \"serious\" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.", }, { lang: "es", value: "Ruby on Rails anterior a 1.1.5 permite a un atacante remoto ejecutar código Ruby con un impacto \"severo\" o \"serio\" a través de una respuesta File Upload con una cabecera HTTP que modifica la variable LOAD_PATH, una vulnerabilidad diferente que CVE-2006-4112.", }, ], evaluatorSolution: "This vulnerability is fully addressed in the following product release:\r\nRuby on Rails, Ruby on Rails, 1.1.6", id: "CVE-2006-4111", lastModified: "2024-11-21T00:15:11.260", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: true, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2006-08-14T21:04:00.000", references: [ { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/21466", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/21749", }, { source: "cve@mitre.org", url: "http://securitytracker.com/id?1016673", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml", }, { source: "cve@mitre.org", url: "http://www.novell.com/linux/security/advisories/2006_21_sr.html", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://www.securityfocus.com/bid/19454", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2006/3237", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/21466", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/21749", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://securitytracker.com/id?1016673", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.novell.com/linux/security/advisories/2006_21_sr.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.securityfocus.com/bid/19454", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2006/3237", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-94", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-02-13 01:55
Modified
2024-11-21 01:47
Severity ?
Summary
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "6E2DF384-3992-43BF-8A5C-65FA53E9A77C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*", matchCriteriaId: "B7453BE5-91C8-42B2-9F75-FFE4038F29A6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*", matchCriteriaId: "A2FD44EB-E899-4FA8-985E-44B75134DDC6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*", matchCriteriaId: "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*", matchCriteriaId: "4E1C795F-CCAC-47AC-B809-BD5510310011", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.", }, { lang: "es", value: "Active Record en Ruby on Rails v3.x anteriores a v3.1.0 y v2.3.x anteriores a v2.3.17 permite a atacantes remotos causar una denegación de servicio o ejecución de código arbitrario a través de atributos serializados manipulados que causan al asistente +serialize+ la des-serialización arbitraria del YAML.\r\n\r\n", }, ], id: "CVE-2013-0277", lastModified: "2024-11-21T01:47:13.010", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-02-13T01:55:05.230", references: [ { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/52112", }, { source: "secalert@redhat.com", url: "http://securitytracker.com/id?1028109", }, { source: "secalert@redhat.com", url: "http://support.apple.com/kb/HT5784", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2013/dsa-2620", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/6", }, { source: "secalert@redhat.com", url: "http://www.osvdb.org/90073", }, { source: "secalert@redhat.com", url: "https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2013-0277", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/52112", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://securitytracker.com/id?1028109", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://support.apple.com/kb/HT5784", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2013/dsa-2620", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.osvdb.org/90073", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2013-0277", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-11-18 23:59
Modified
2024-11-21 02:18
Severity ?
Summary
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", matchCriteriaId: "DFBF430B-0832-44B0-AA0E-BA9E467F7668", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", matchCriteriaId: "A10BC294-9196-425F-9FB0-B1625465B47F", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", matchCriteriaId: "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*", matchCriteriaId: "6646610D-279B-4AEC-B445-981E7784EE5B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*", matchCriteriaId: "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*", matchCriteriaId: "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*", matchCriteriaId: "A499584B-6E2E-42F3-B0CE-DA7BDD732897", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", matchCriteriaId: "254884EE-EBA4-45D0-9704-B5CB22569668", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", matchCriteriaId: "5C913A56-959D-44F1-BD89-D246C66D1F09", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5D5BA926-38EE-47BE-9D16-FDCF360A503B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", matchCriteriaId: "18EA25F1-279A-4F1A-883D-C064369F592E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "FD794856-6F30-4ABF-8AE4-720BB75E6F89", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", matchCriteriaId: "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", matchCriteriaId: "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", matchCriteriaId: "767C481D-6616-4CA9-9A9B-C994D9121796", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", matchCriteriaId: "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "CA46B621-125E-497F-B2DE-91C989B25936", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B3239443-2E19-4540-BA0C-05A27E44CB6C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", matchCriteriaId: "104AC9CF-6611-4469-9852-7FDAF4EC7638", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", matchCriteriaId: "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", matchCriteriaId: "A462C151-982E-4A83-A376-025015F40645", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*", matchCriteriaId: "660C2AD2-CEC8-4391-84AF-27515A88B29E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "578CC013-776B-4868-B448-B7ACAF3AF832", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", matchCriteriaId: "C310EA3E-399A-48FD-8DE9-6950E328CF23", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "293B2998-5169-4960-BEC4-21DAC837E32B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", matchCriteriaId: "EAB8D57F-9849-428C-B8E9-D0A1020728BB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", matchCriteriaId: "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "0965BDB6-9644-465C-AA32-9278B2D53197", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", matchCriteriaId: "072EB16D-1325-4869-B156-65E786A834C7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", matchCriteriaId: "847B3C3D-8656-404D-A954-09C159EDC8E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", matchCriteriaId: "65CA2D50-B33C-4088-BDDF-EB964C9A092C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", matchCriteriaId: "CADB5989-5260-4F60-ACF2-BEB6D7F97654", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", matchCriteriaId: "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", matchCriteriaId: "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", matchCriteriaId: "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", matchCriteriaId: "709A19A5-8FD1-4F9C-A38C-F06242A94D68", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", matchCriteriaId: "8104482C-E8F5-40A7-8B27-234FEF725FD0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", matchCriteriaId: "2CFF8677-EA00-4F7E-BFF9-272482206DB5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*", matchCriteriaId: "69702127-AB96-4FE0-9AC4-FBE7B8CA77E5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.20:*:*:*:*:*:*:*", matchCriteriaId: "48D71F7B-CF93-41D4-A824-51CB11F08692", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*", matchCriteriaId: "9E43D2D7-89AE-4805-9732-F1C601D8D8B8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \\ (backslash) character, a similar issue to CVE-2014-7818.", }, { lang: "es", value: "Una vulnerabilidad de salto de directorio en actionpack/lib/action_dispatch/middleware/static.rb en el Action Pack de Ruby on Rails 3.x anterior a 3.2.21, 4.0.x anterior a 4.0.12, 4.1.x anterior a 4.1.8, y 4.2.x anterior a 4.2.0.beta4, cuando serve_static_assets está activado, permite a atacantes remotos determinar la existencia de ficheros fuera de la aplicación root a través de vectores que implican un carácter \\ (barra invertida), un problema similar al CVE-2014-7818.", }, ], id: "CVE-2014-7829", lastModified: "2024-11-21T02:18:05.687", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-11-18T23:59:03.427", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/71183", }, { source: "secalert@redhat.com", tags: [ "Exploit", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2014-7829", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/71183", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2014-7829", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2024-11-21 02:37
Severity ?
Summary
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", matchCriteriaId: "254884EE-EBA4-45D0-9704-B5CB22569668", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", matchCriteriaId: "5C913A56-959D-44F1-BD89-D246C66D1F09", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5D5BA926-38EE-47BE-9D16-FDCF360A503B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", matchCriteriaId: "18EA25F1-279A-4F1A-883D-C064369F592E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "FD794856-6F30-4ABF-8AE4-720BB75E6F89", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", matchCriteriaId: "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", matchCriteriaId: "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", matchCriteriaId: "767C481D-6616-4CA9-9A9B-C994D9121796", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", matchCriteriaId: "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "CA46B621-125E-497F-B2DE-91C989B25936", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B3239443-2E19-4540-BA0C-05A27E44CB6C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", matchCriteriaId: "104AC9CF-6611-4469-9852-7FDAF4EC7638", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", matchCriteriaId: "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", matchCriteriaId: "A462C151-982E-4A83-A376-025015F40645", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*", matchCriteriaId: "660C2AD2-CEC8-4391-84AF-27515A88B29E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "578CC013-776B-4868-B448-B7ACAF3AF832", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", matchCriteriaId: "C310EA3E-399A-48FD-8DE9-6950E328CF23", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "293B2998-5169-4960-BEC4-21DAC837E32B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*", matchCriteriaId: "FB42A8E7-D273-4CE2-9182-D831D8089BFA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "DB757DFD-BF47-4483-A2C0-DF37F7D10989", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6C375F2-5027-4B55-9112-C5DD2F787E43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", matchCriteriaId: "EAB8D57F-9849-428C-B8E9-D0A1020728BB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", matchCriteriaId: "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "0965BDB6-9644-465C-AA32-9278B2D53197", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", matchCriteriaId: "072EB16D-1325-4869-B156-65E786A834C7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", matchCriteriaId: "847B3C3D-8656-404D-A954-09C159EDC8E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", matchCriteriaId: "65CA2D50-B33C-4088-BDDF-EB964C9A092C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", matchCriteriaId: "CADB5989-5260-4F60-ACF2-BEB6D7F97654", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", matchCriteriaId: "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", matchCriteriaId: "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B86E26CB-2376-4EBC-913C-B354E2D6711B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", matchCriteriaId: "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*", matchCriteriaId: "D5150753-E86D-4859-A046-97B83EAE2C14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", matchCriteriaId: "59C5B869-74FC-4051-A103-A721332B3CF2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*", matchCriteriaId: "7C31EBD2-CD2D-4D38-AA51-A5A56487939A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*", matchCriteriaId: "F11E9791-7BCE-43E5-A4BA-6449623FE4F9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*", matchCriteriaId: "33FBD4E4-0BCD-49E1-BA84-86621B7C4556", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*", matchCriteriaId: "CE521626-2876-455C-9D99-DB74726DC724", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*", matchCriteriaId: "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*", matchCriteriaId: "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*", matchCriteriaId: "16D3B0EA-49F7-401A-A1D9-437429D33EAD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*", matchCriteriaId: "83D1EB17-EE67-48E5-B637-AA9A75D397F6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*", matchCriteriaId: "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*", matchCriteriaId: "A2B1711A-5541-412C-A5A0-274CEAB9E387", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FCB08CD7-E9B9-454F-BAF7-96162D177677", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*", matchCriteriaId: "C3AF00C3-93D9-4284-BCB9-40E42CB8386E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*", matchCriteriaId: "0D3DA0B4-E374-4ED4-8C3B-F723C968666F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*", matchCriteriaId: "B1730A9A-6810-4470-AE6C-A5356D5BFF43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9A68D41F-36A9-4B77-814D-996F4E48FA79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", matchCriteriaId: "709A19A5-8FD1-4F9C-A38C-F06242A94D68", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", matchCriteriaId: "8104482C-E8F5-40A7-8B27-234FEF725FD0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", matchCriteriaId: "2CFF8677-EA00-4F7E-BFF9-272482206DB5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*", matchCriteriaId: "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "85435026-9855-4BF4-A436-832628B005FD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56C2308F-A590-47B0-9791-7865D189196F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*", matchCriteriaId: "9A266882-DABA-4A4C-88E6-60E993EE0947", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", matchCriteriaId: "83F1142C-3BFB-4B72-A033-81E20DB19D02", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*", matchCriteriaId: "1FA738A1-227B-4665-B65E-666883FFAE96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*", matchCriteriaId: "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*", matchCriteriaId: "10789A2D-6401-4119-BFBE-2EE4C16216D3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*", matchCriteriaId: "70ABD462-7142-4831-8EB6-801EC1D05573", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*", matchCriteriaId: "81D717DB-7C80-48AA-A774-E291D2E75D6E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*", matchCriteriaId: "06B357FB-0307-4EFA-9C5B-3C2CDEA48584", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "E4BD8840-0F1C-49D3-B843-9CFE64948018", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*", matchCriteriaId: "79D5B492-43F9-470F-BD21-6EFD93E78453", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "4EC1F602-D48C-458A-A063-4050BE3BB25F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*", matchCriteriaId: "F6A1C015-56AD-489C-B301-68CF1DBF1BEF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*", matchCriteriaId: "FD191625-ACE2-46B6-9AAD-12D682C732C2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*", matchCriteriaId: "02C7DB56-267B-4057-A9BA-36D1E58C6282", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*", matchCriteriaId: "AF8F94CF-D504-4165-A69E-3F1198CB162A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "4C068362-0D49-4117-BC96-780AA802CE4E", versionEndIncluding: "3.2.22", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*", matchCriteriaId: "9C8E749B-2908-442A-99F0-91E2772336ED", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*", matchCriteriaId: "9E43D2D7-89AE-4805-9732-F1C601D8D8B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "5F3D8911-060D-435D-ACA2-E29271170CAA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*", matchCriteriaId: "EA7A4939-16CF-450D-846A-75B231E32D61", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*", matchCriteriaId: "C964D4A2-3F39-4CC7-A028-B42C94DDB56F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*", matchCriteriaId: "23FD6D82-9A14-4BD4-AA00-1875F0962ACE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.", }, { lang: "es", value: "activerecord/lib/active_record/nested_attributes.rb en Active Record en Ruby on Rails 3.1.x y 3.2.x en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no implementa adecuadamente una cierta opción de destruir, lo que permite a atacantes remotos eludir restricciones destinadas al cambio mediante el aprovechamiento del uso de la funcionalidad de atributos anidados.", }, ], id: "CVE-2015-7577", lastModified: "2024-11-21T02:37:00.983", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-02-16T02:59:01.063", references: [ { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2016/dsa-3464", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2016/01/25/10", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/81806", }, { source: "secalert@redhat.com", url: "http://www.securitytracker.com/id/1034816", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2016/dsa-3464", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2016/01/25/10", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/81806", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1034816", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-06-22 14:55
Modified
2024-11-21 01:39
Severity ?
Summary
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "8F046DC2-971A-46E6-A61B-AD39B954D634", versionEndIncluding: "3.0.13", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.", }, { lang: "es", value: "El componente 'Active Record' en Ruby on Rails antes de la version v3.0.14, v3.1.x antes de v3.1.6 y v3.2.x antes de v3.2.6 no implementa correctamente el paso de los datos de la solicitud a un método 'where' en la clase ActiveRecord, lo que permite llevar a cabo determinados ataques de inyección SQL a atacantes remotos a través de los parámetros de consulta anidadas que aprovechan una indebida manipulación de los hashes anidados. Es un problema relacionado con el CVE-2012-2661.", }, ], id: "CVE-2012-2695", lastModified: "2024-11-21T01:39:27.853", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2012-06-22T14:55:01.147", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", tags: [ "Exploit", ], url: "https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-07-07 11:01
Modified
2024-11-21 02:08
Severity ?
Summary
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "6E2DF384-3992-43BF-8A5C-65FA53E9A77C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*", matchCriteriaId: "B7453BE5-91C8-42B2-9F75-FFE4038F29A6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*", matchCriteriaId: "A2FD44EB-E899-4FA8-985E-44B75134DDC6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*", matchCriteriaId: "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*", matchCriteriaId: "4E1C795F-CCAC-47AC-B809-BD5510310011", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.18:*:*:*:*:*:*:*", matchCriteriaId: "93E0C324-E7F4-4316-B078-BA13F69F10D3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*", matchCriteriaId: "6646610D-279B-4AEC-B445-981E7784EE5B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*", matchCriteriaId: "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*", matchCriteriaId: "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*", matchCriteriaId: "A499584B-6E2E-42F3-B0CE-DA7BDD732897", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.17:*:*:*:*:*:*:*", matchCriteriaId: "B144F6C7-865D-4AD9-92F9-0D65AB3183DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.", }, { lang: "es", value: "Vulnerabilidad de inyección SQL en activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb en el adaptador PostgreSQL para Active Record en Ruby on Rails 2.x y 3.x anterior a 3.2.19 permite a atacantes remotos ejecutar comandos SQL arbitrarios mediante el aprovechamiento del citado de bitstrings indebido.", }, ], id: "CVE-2014-3482", lastModified: "2024-11-21T02:08:12.260", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-07-07T11:01:30.527", references: [ { source: "secalert@redhat.com", url: "http://openwall.com/lists/oss-security/2014/07/02/5", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-0876.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59973", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/60214", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/60763", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2014/dsa-2982", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/68343", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2014/07/02/5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-0876.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59973", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/60214", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/60763", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2014/dsa-2982", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/68343", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2009-12-07 17:30
Modified
2024-11-21 01:09
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "DF706143-996C-4120-B620-3EDC977568DF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "43E7F32B-C760-4862-B6DB-C38FB2A9182F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "FD68A034-73A2-4B1A-95DB-19AD3131F775", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2E78C912-E8FF-495F-B922-43C54D1E2180", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "15B72C17-82C3-4930-9227-226C8E64C2E7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "FA59F311-B2B4-40EE-A878-64EF9F41581B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "035B47E9-A395-47D2-9164-A2A2CF878326", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "BDA55D29-C830-45EF-A3B3-BFA9EED88F38", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "0A9356A6-D32A-487C-B743-1DA0D6C42FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "2B3C7616-8631-49AC-979C-4347067059AF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*", matchCriteriaId: "EC487B78-AAEA-4F0E-8C8B-F415013A381E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "195F4692-EB88-40A4-AEF5-0F81CC41CFE3", versionEndIncluding: "2.1.2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.", }, { lang: "es", value: "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Ruby on Rails anterior v2.2.s, y v2.3.x anterior v2.3.5, permite a atacantes remotos inyectar código Web o HTML a su lección a través de vectores que incluyen caracteres ASCII no imprimibles, relacionado con HTML::Tokenizer y actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.", }, ], id: "CVE-2009-4214", lastModified: "2024-11-21T01:09:10.180", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2009-12-07T17:30:00.217", references: [ { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5", }, { source: "cve@mitre.org", url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1", }, { source: "cve@mitre.org", url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { source: "cve@mitre.org", url: "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/37446", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/38915", }, { source: "cve@mitre.org", url: "http://support.apple.com/kb/HT4077", }, { source: "cve@mitre.org", url: "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released", }, { source: "cve@mitre.org", url: "http://www.debian.org/security/2011/dsa-2260", }, { source: "cve@mitre.org", url: "http://www.debian.org/security/2011/dsa-2301", }, { source: "cve@mitre.org", url: "http://www.openwall.com/lists/oss-security/2009/11/27/2", }, { source: "cve@mitre.org", url: "http://www.openwall.com/lists/oss-security/2009/12/08/3", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://www.securityfocus.com/bid/37142", }, { source: "cve@mitre.org", url: "http://www.securitytracker.com/id?1023245", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2009/3352", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/37446", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/38915", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://support.apple.com/kb/HT4077", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2011/dsa-2260", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2011/dsa-2301", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2009/11/27/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2009/12/08/3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.securityfocus.com/bid/37142", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id?1023245", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2009/3352", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-03-13 10:55
Modified
2024-11-21 01:36
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.", }, { lang: "es", value: "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Ruby on Rails 3.0.x anteriores a 3.0.12, 3.1.x anteriores a 3.1.4, y 3.2.x anterioes a 3.2.2 permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de vectores que involucran un objeto SafeBuffer que es manipulado a través de determinados métodos.", }, ], id: "CVE-2012-1098", lastModified: "2024-11-21T01:36:24.913", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2012-03-13T10:55:01.213", references: [ { source: "secalert@redhat.com", url: "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { source: "secalert@redhat.com", url: "https://bugzilla.redhat.com/show_bug.cgi?id=799275", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://bugzilla.redhat.com/show_bug.cgi?id=799275", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-12-07 00:55
Modified
2024-11-21 01:59
Severity ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*", matchCriteriaId: "75842F7D-B1B1-48BA-858F-01148867B3AA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "38F53FB7-A292-4273-BFBE-E231235E845D", versionEndIncluding: "3.2.15", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*", matchCriteriaId: "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*", matchCriteriaId: "A325F57E-0055-4279-9ED7-A26E75FC38E5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*", matchCriteriaId: "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*", matchCriteriaId: "991F368C-CEB5-4DE6-A7EE-C341F358A4CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*", matchCriteriaId: "01DB164E-E08E-4649-84BD-15B4159A3AA0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*", matchCriteriaId: "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*", matchCriteriaId: "1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF", versionEndIncluding: "4.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.", }, { lang: "es", value: "actoinpack/lib/action_dispatch/http/request.rb en Ruby on Rails anteriores a 3.2.16 y 4.x anteriores a 4.0.2 no considera correctamente las diferencias en la gestión de parámetros entre el componente Active Record y la implementación de JSON, lo cual permite a atacantes remotos sortear restricciones de consultas a la base de datos y ejecutar comprobaciones NULL o provocar falta de cláusulas WHERE a través de una petición manipulada que aprovecha (1) middleware Rack de terceros o (2) middleware Rack propio. NOTA: esta vulnerabilidad existe debido a una corrección incompleta de CVE-2013-0155.", }, ], id: "CVE-2013-6417", lastModified: "2024-11-21T01:59:11.010", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-12-07T00:55:03.773", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-0469.html", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2014/dsa-2888", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2013-6417", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-0469.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2014/dsa-2888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2013-6417", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-264", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-02-20 15:27
Modified
2024-11-21 02:01
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "DF706143-996C-4120-B620-3EDC977568DF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "43E7F32B-C760-4862-B6DB-C38FB2A9182F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "FD68A034-73A2-4B1A-95DB-19AD3131F775", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2E78C912-E8FF-495F-B922-43C54D1E2180", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "15B72C17-82C3-4930-9227-226C8E64C2E7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "FA59F311-B2B4-40EE-A878-64EF9F41581B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "035B47E9-A395-47D2-9164-A2A2CF878326", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "BDA55D29-C830-45EF-A3B3-BFA9EED88F38", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "0A9356A6-D32A-487C-B743-1DA0D6C42FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "2B3C7616-8631-49AC-979C-4347067059AF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*", matchCriteriaId: "EC487B78-AAEA-4F0E-8C8B-F415013A381E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "6E2DF384-3992-43BF-8A5C-65FA53E9A77C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*", matchCriteriaId: "B7453BE5-91C8-42B2-9F75-FFE4038F29A6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*", matchCriteriaId: "A2FD44EB-E899-4FA8-985E-44B75134DDC6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*", matchCriteriaId: "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*", matchCriteriaId: "4E1C795F-CCAC-47AC-B809-BD5510310011", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*", matchCriteriaId: "75842F7D-B1B1-48BA-858F-01148867B3AA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*", matchCriteriaId: "C0406FF0-30F5-40E2-B9B8-FE465D923DE4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*", matchCriteriaId: "6646610D-279B-4AEC-B445-981E7784EE5B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", matchCriteriaId: "254884EE-EBA4-45D0-9704-B5CB22569668", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", matchCriteriaId: "5C913A56-959D-44F1-BD89-D246C66D1F09", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5D5BA926-38EE-47BE-9D16-FDCF360A503B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", matchCriteriaId: "18EA25F1-279A-4F1A-883D-C064369F592E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "FD794856-6F30-4ABF-8AE4-720BB75E6F89", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "293B2998-5169-4960-BEC4-21DAC837E32B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "005A14B0-1621-4A0C-A990-2B8B59C199B3", versionEndIncluding: "3.2.16", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*", matchCriteriaId: "A325F57E-0055-4279-9ED7-A26E75FC38E5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*", matchCriteriaId: "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*", matchCriteriaId: "991F368C-CEB5-4DE6-A7EE-C341F358A4CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*", matchCriteriaId: "01DB164E-E08E-4649-84BD-15B4159A3AA0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*", matchCriteriaId: "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", matchCriteriaId: "A10BC294-9196-425F-9FB0-B1625465B47F", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse_project:opensuse:12.3:*:*:*:*:*:*:*", matchCriteriaId: "1B91DE6A-D759-4B2C-982B-AF036B43798D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:cloudforms:3.0:*:*:*:*:*:*:*", matchCriteriaId: "E497C765-C720-4566-BB73-705C36AEA59A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.", }, { lang: "es", value: "Múltiples vulnerabilidades de XSS en actionview/lib/action_view/helpers/number_helper.rb en Ruby on Rails anterior a 3.2.17, 4.0.x anterior a 4.0.3 y 4.1.x anterior a 4.1.0.beta2 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro (1) format, (2) negative_format, o (3) units hacia la ayuda de (a) number_to_currency, (b) number_to_percentage, o (c) number_to_human.", }, ], id: "CVE-2014-0081", lastModified: "2024-11-21T02:01:19.270", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2014-02-20T15:27:09.140", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://openwall.com/lists/oss-security/2014/02/18/8", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { source: "secalert@redhat.com", tags: [ "Permissions Required", ], url: "http://secunia.com/advisories/57376", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/65647", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1029782", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://openwall.com/lists/oss-security/2014/02/18/8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "http://secunia.com/advisories/57376", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/65647", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1029782", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-03-19 22:55
Modified
2024-11-21 01:50
Severity ?
Summary
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "6E2DF384-3992-43BF-8A5C-65FA53E9A77C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*", matchCriteriaId: "B7453BE5-91C8-42B2-9F75-FFE4038F29A6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*", matchCriteriaId: "A2FD44EB-E899-4FA8-985E-44B75134DDC6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*", matchCriteriaId: "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*", matchCriteriaId: "4E1C795F-CCAC-47AC-B809-BD5510310011", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.17:*:*:*:*:*:*:*", matchCriteriaId: "B144F6C7-865D-4AD9-92F9-0D65AB3183DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*", matchCriteriaId: "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.", }, { lang: "es", value: "El componente Active Record en Ruby on Rails v2.3.x anterior a v2.3.18, v3.1.x anterior a v3.1.12, y v3.2.x anterior a v3.2.13, procesa determinadas consultas mediante la conversión de los hash de las claves a símbolos, lo que permite a atacantes remotos provocar una denegación de servicio a través de una entrada manipulada al método \"where\".", }, ], id: "CVE-2013-1854", lastModified: "2024-11-21T01:50:31.507", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-03-19T22:55:01.000", references: [ { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0699.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "secalert@redhat.com", url: "http://support.apple.com/kb/HT5784", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, { source: "secalert@redhat.com", url: "https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0699.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://support.apple.com/kb/HT5784", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-04-07 23:59
Modified
2024-11-21 02:47
Severity ?
Summary
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", matchCriteriaId: "254884EE-EBA4-45D0-9704-B5CB22569668", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", matchCriteriaId: "5C913A56-959D-44F1-BD89-D246C66D1F09", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5D5BA926-38EE-47BE-9D16-FDCF360A503B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", matchCriteriaId: "18EA25F1-279A-4F1A-883D-C064369F592E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "FD794856-6F30-4ABF-8AE4-720BB75E6F89", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", matchCriteriaId: "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", matchCriteriaId: "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", matchCriteriaId: "767C481D-6616-4CA9-9A9B-C994D9121796", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", matchCriteriaId: "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "CA46B621-125E-497F-B2DE-91C989B25936", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B3239443-2E19-4540-BA0C-05A27E44CB6C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", matchCriteriaId: "104AC9CF-6611-4469-9852-7FDAF4EC7638", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", matchCriteriaId: "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", matchCriteriaId: "A462C151-982E-4A83-A376-025015F40645", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "578CC013-776B-4868-B448-B7ACAF3AF832", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", matchCriteriaId: "C310EA3E-399A-48FD-8DE9-6950E328CF23", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "293B2998-5169-4960-BEC4-21DAC837E32B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*", matchCriteriaId: "FB42A8E7-D273-4CE2-9182-D831D8089BFA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "DB757DFD-BF47-4483-A2C0-DF37F7D10989", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6C375F2-5027-4B55-9112-C5DD2F787E43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", matchCriteriaId: "EAB8D57F-9849-428C-B8E9-D0A1020728BB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", matchCriteriaId: "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "0965BDB6-9644-465C-AA32-9278B2D53197", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", matchCriteriaId: "072EB16D-1325-4869-B156-65E786A834C7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", matchCriteriaId: "847B3C3D-8656-404D-A954-09C159EDC8E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", matchCriteriaId: "65CA2D50-B33C-4088-BDDF-EB964C9A092C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", matchCriteriaId: "CADB5989-5260-4F60-ACF2-BEB6D7F97654", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", matchCriteriaId: "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B86E26CB-2376-4EBC-913C-B354E2D6711B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", matchCriteriaId: "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*", matchCriteriaId: "D5150753-E86D-4859-A046-97B83EAE2C14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", matchCriteriaId: "59C5B869-74FC-4051-A103-A721332B3CF2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*", matchCriteriaId: "F11E9791-7BCE-43E5-A4BA-6449623FE4F9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*", matchCriteriaId: "CE521626-2876-455C-9D99-DB74726DC724", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*", matchCriteriaId: "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*", matchCriteriaId: "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*", matchCriteriaId: "16D3B0EA-49F7-401A-A1D9-437429D33EAD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*", matchCriteriaId: "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FCB08CD7-E9B9-454F-BAF7-96162D177677", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*", matchCriteriaId: "0D3DA0B4-E374-4ED4-8C3B-F723C968666F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*", matchCriteriaId: "B1730A9A-6810-4470-AE6C-A5356D5BFF43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", matchCriteriaId: "709A19A5-8FD1-4F9C-A38C-F06242A94D68", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", matchCriteriaId: "8104482C-E8F5-40A7-8B27-234FEF725FD0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", matchCriteriaId: "2CFF8677-EA00-4F7E-BFF9-272482206DB5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*", matchCriteriaId: "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "85435026-9855-4BF4-A436-832628B005FD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56C2308F-A590-47B0-9791-7865D189196F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*", matchCriteriaId: "9A266882-DABA-4A4C-88E6-60E993EE0947", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", matchCriteriaId: "83F1142C-3BFB-4B72-A033-81E20DB19D02", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*", matchCriteriaId: "1FA738A1-227B-4665-B65E-666883FFAE96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*", matchCriteriaId: "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*", matchCriteriaId: "10789A2D-6401-4119-BFBE-2EE4C16216D3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*", matchCriteriaId: "70ABD462-7142-4831-8EB6-801EC1D05573", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*", matchCriteriaId: "81D717DB-7C80-48AA-A774-E291D2E75D6E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*", matchCriteriaId: "06B357FB-0307-4EFA-9C5B-3C2CDEA48584", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "E4BD8840-0F1C-49D3-B843-9CFE64948018", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*", matchCriteriaId: "79D5B492-43F9-470F-BD21-6EFD93E78453", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "4EC1F602-D48C-458A-A063-4050BE3BB25F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*", matchCriteriaId: "F6A1C015-56AD-489C-B301-68CF1DBF1BEF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*", matchCriteriaId: "FD191625-ACE2-46B6-9AAD-12D682C732C2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*", matchCriteriaId: "02C7DB56-267B-4057-A9BA-36D1E58C6282", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*", matchCriteriaId: "EC163D49-691B-4125-A983-6CF6F6D86DEE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "DBD4FBDC-F05B-4CDD-8928-7122397A7651", versionEndIncluding: "3.2.22.1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*", matchCriteriaId: "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.", }, { lang: "es", value: "Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.2, 4.x en versiones anteriores a 4.1.14.2 y 4.2.x en versiones anteriores a 4.2.5.2 permite a atacantes remotos ejecutar código Ruby arbitrario aprovechando el uso no restringido del método render de una aplicación.", }, ], id: "CVE-2016-2098", lastModified: "2024-11-21T02:47:48.067", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-04-07T23:59:06.643", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2016/dsa-3509", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/83725", }, { source: "secalert@redhat.com", url: "http://www.securitytracker.com/id/1035122", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ", }, { source: "secalert@redhat.com", url: "https://www.exploit-db.com/exploits/40086/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2016/dsa-3509", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/83725", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1035122", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.exploit-db.com/exploits/40086/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-03-19 22:55
Modified
2024-11-21 01:50
Severity ?
Summary
The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "DF706143-996C-4120-B620-3EDC977568DF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "43E7F32B-C760-4862-B6DB-C38FB2A9182F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "FD68A034-73A2-4B1A-95DB-19AD3131F775", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2E78C912-E8FF-495F-B922-43C54D1E2180", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "15B72C17-82C3-4930-9227-226C8E64C2E7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "FA59F311-B2B4-40EE-A878-64EF9F41581B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "035B47E9-A395-47D2-9164-A2A2CF878326", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "BDA55D29-C830-45EF-A3B3-BFA9EED88F38", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "0A9356A6-D32A-487C-B743-1DA0D6C42FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "2B3C7616-8631-49AC-979C-4347067059AF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*", matchCriteriaId: "EC487B78-AAEA-4F0E-8C8B-F415013A381E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "6E2DF384-3992-43BF-8A5C-65FA53E9A77C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*", matchCriteriaId: "B7453BE5-91C8-42B2-9F75-FFE4038F29A6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*", matchCriteriaId: "A2FD44EB-E899-4FA8-985E-44B75134DDC6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*", matchCriteriaId: "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*", matchCriteriaId: "4E1C795F-CCAC-47AC-B809-BD5510310011", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "C230384C-A52A-4167-A07D-0E06138EE246", versionEndIncluding: "2.3.17", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*", matchCriteriaId: "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence.", }, { lang: "es", value: "El sanitize helper en lib/action_controller/vendor/html-scanner/html/sanitizer.rb en el componente Action Pack en Ruby on Rails en versiones anteriores a 2.3.18, 3.0.x y 3.1.x en versiones anteriores a 3.1.12 y 3.2.x en versiones anteriores a 3.2.13 no maneja adecuadamente codificación de caracteres : (dos puntos) en URLs, lo que hace que sea más fácil para atacantes remotos llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) a través de un nombre de esquema manipulado, según lo demostrado incluyendo una secuencia :.", }, ], id: "CVE-2013-1857", lastModified: "2024-11-21T01:50:31.973", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2013-03-19T22:55:01.087", references: [ { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "secalert@redhat.com", url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0698.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "secalert@redhat.com", url: "http://support.apple.com/kb/HT5784", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, { source: "secalert@redhat.com", url: "https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0698.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://support.apple.com/kb/HT5784", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-12-07 00:55
Modified
2024-11-21 01:59
Severity ?
Summary
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*", matchCriteriaId: "1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF", versionEndIncluding: "4.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*", matchCriteriaId: "75842F7D-B1B1-48BA-858F-01148867B3AA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "38F53FB7-A292-4273-BFBE-E231235E845D", versionEndIncluding: "3.2.15", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*", matchCriteriaId: "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*", matchCriteriaId: "A325F57E-0055-4279-9ED7-A26E75FC38E5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*", matchCriteriaId: "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*", matchCriteriaId: "991F368C-CEB5-4DE6-A7EE-C341F358A4CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*", matchCriteriaId: "01DB164E-E08E-4649-84BD-15B4159A3AA0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*", matchCriteriaId: "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.", }, { lang: "es", value: "actionpack/lib/action_view/lookup_context.rb en Action View en Ruby on Rails 3.x anteriores a 3.2.16 y 4.x anteriores a 4.0.2 permite a atacantes remotos causar denegación de servicio (consumo de memoria) a través de una cabecera conteniendo un tipo MIME inválido que conduce a un cacheo excesivo.", }, ], id: "CVE-2013-6414", lastModified: "2024-11-21T01:59:10.590", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-12-07T00:55:03.693", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/57836", }, { source: "secalert@redhat.com", tags: [ "Patch", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2014/dsa-2888", }, { source: "secalert@redhat.com", url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2013-6414", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/57836", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2014/dsa-2888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2013-6414", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-12-07 00:55
Modified
2024-11-21 01:59
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*", matchCriteriaId: "75842F7D-B1B1-48BA-858F-01148867B3AA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "38F53FB7-A292-4273-BFBE-E231235E845D", versionEndIncluding: "3.2.15", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*", matchCriteriaId: "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*", matchCriteriaId: "A325F57E-0055-4279-9ED7-A26E75FC38E5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*", matchCriteriaId: "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*", matchCriteriaId: "991F368C-CEB5-4DE6-A7EE-C341F358A4CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*", matchCriteriaId: "01DB164E-E08E-4649-84BD-15B4159A3AA0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*", matchCriteriaId: "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*", matchCriteriaId: "1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF", versionEndIncluding: "4.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.", }, { lang: "es", value: "Vulnerabilidad Cross-site scripting (XSS) en number_to_currency en actionpack/lib/action_view/helpers/number_helper.rb en Ruby on Rails anterior a v3.2.16 y v4.x anterior a v4.0.2 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro \"unit\".", }, ], id: "CVE-2013-6415", lastModified: "2024-11-21T01:59:10.743", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2013-12-07T00:55:03.710", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/56093", }, { source: "secalert@redhat.com", tags: [ "Patch", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2014/dsa-2888", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/64077", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2013-6415", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/56093", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2014/dsa-2888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/64077", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2013-6415", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-08-08 10:26
Modified
2024-11-21 01:40
Severity ?
Summary
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.", }, { lang: "es", value: "El método decode_credentials method en actionpack/lib/action_controller/metal/http_authentication.rb en Ruby on Rails 3.x anterior a 3.0.16, 3.1.x anterior a 3.1.7, y 3.2.x anterior a 3.2.7 convierte las cadenas Digest Authentication a símbolos, lo que permite a atacantes remotos provocar una denegación de servicio aprovechando el acceso a una aplicación que se utiliza un método de ayuda with_http_digest, como se demostró con el método authenticate_or_request_with_http_digest.", }, ], id: "CVE-2012-3424", lastModified: "2024-11-21T01:40:50.900", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2012-08-08T10:26:19.063", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/", }, { source: "secalert@redhat.com", url: "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2024-11-21 02:37
Severity ?
Summary
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", matchCriteriaId: "254884EE-EBA4-45D0-9704-B5CB22569668", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", matchCriteriaId: "5C913A56-959D-44F1-BD89-D246C66D1F09", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5D5BA926-38EE-47BE-9D16-FDCF360A503B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", matchCriteriaId: "18EA25F1-279A-4F1A-883D-C064369F592E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "FD794856-6F30-4ABF-8AE4-720BB75E6F89", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", matchCriteriaId: "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", matchCriteriaId: "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", matchCriteriaId: "767C481D-6616-4CA9-9A9B-C994D9121796", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", matchCriteriaId: "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "CA46B621-125E-497F-B2DE-91C989B25936", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B3239443-2E19-4540-BA0C-05A27E44CB6C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", matchCriteriaId: "104AC9CF-6611-4469-9852-7FDAF4EC7638", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", matchCriteriaId: "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", matchCriteriaId: "A462C151-982E-4A83-A376-025015F40645", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*", matchCriteriaId: "660C2AD2-CEC8-4391-84AF-27515A88B29E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "578CC013-776B-4868-B448-B7ACAF3AF832", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", matchCriteriaId: "C310EA3E-399A-48FD-8DE9-6950E328CF23", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "293B2998-5169-4960-BEC4-21DAC837E32B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*", matchCriteriaId: "FB42A8E7-D273-4CE2-9182-D831D8089BFA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "DB757DFD-BF47-4483-A2C0-DF37F7D10989", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6C375F2-5027-4B55-9112-C5DD2F787E43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", matchCriteriaId: "EAB8D57F-9849-428C-B8E9-D0A1020728BB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", matchCriteriaId: "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "0965BDB6-9644-465C-AA32-9278B2D53197", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", matchCriteriaId: "072EB16D-1325-4869-B156-65E786A834C7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", matchCriteriaId: "847B3C3D-8656-404D-A954-09C159EDC8E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", matchCriteriaId: "65CA2D50-B33C-4088-BDDF-EB964C9A092C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", matchCriteriaId: "CADB5989-5260-4F60-ACF2-BEB6D7F97654", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", matchCriteriaId: "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", matchCriteriaId: "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B86E26CB-2376-4EBC-913C-B354E2D6711B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", matchCriteriaId: "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*", matchCriteriaId: "D5150753-E86D-4859-A046-97B83EAE2C14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", matchCriteriaId: "59C5B869-74FC-4051-A103-A721332B3CF2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*", matchCriteriaId: "7C31EBD2-CD2D-4D38-AA51-A5A56487939A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*", matchCriteriaId: "F11E9791-7BCE-43E5-A4BA-6449623FE4F9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*", matchCriteriaId: "33FBD4E4-0BCD-49E1-BA84-86621B7C4556", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*", matchCriteriaId: "CE521626-2876-455C-9D99-DB74726DC724", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*", matchCriteriaId: "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*", matchCriteriaId: "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*", matchCriteriaId: "16D3B0EA-49F7-401A-A1D9-437429D33EAD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*", matchCriteriaId: "83D1EB17-EE67-48E5-B637-AA9A75D397F6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*", matchCriteriaId: "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*", matchCriteriaId: "A2B1711A-5541-412C-A5A0-274CEAB9E387", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FCB08CD7-E9B9-454F-BAF7-96162D177677", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*", matchCriteriaId: "C3AF00C3-93D9-4284-BCB9-40E42CB8386E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*", matchCriteriaId: "0D3DA0B4-E374-4ED4-8C3B-F723C968666F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*", matchCriteriaId: "B1730A9A-6810-4470-AE6C-A5356D5BFF43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9A68D41F-36A9-4B77-814D-996F4E48FA79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", matchCriteriaId: "709A19A5-8FD1-4F9C-A38C-F06242A94D68", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", matchCriteriaId: "8104482C-E8F5-40A7-8B27-234FEF725FD0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", matchCriteriaId: "2CFF8677-EA00-4F7E-BFF9-272482206DB5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*", matchCriteriaId: "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "85435026-9855-4BF4-A436-832628B005FD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56C2308F-A590-47B0-9791-7865D189196F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*", matchCriteriaId: "9A266882-DABA-4A4C-88E6-60E993EE0947", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", matchCriteriaId: "83F1142C-3BFB-4B72-A033-81E20DB19D02", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*", matchCriteriaId: "1FA738A1-227B-4665-B65E-666883FFAE96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*", matchCriteriaId: "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*", matchCriteriaId: "10789A2D-6401-4119-BFBE-2EE4C16216D3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*", matchCriteriaId: "70ABD462-7142-4831-8EB6-801EC1D05573", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*", matchCriteriaId: "81D717DB-7C80-48AA-A774-E291D2E75D6E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*", matchCriteriaId: "06B357FB-0307-4EFA-9C5B-3C2CDEA48584", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "E4BD8840-0F1C-49D3-B843-9CFE64948018", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*", matchCriteriaId: "79D5B492-43F9-470F-BD21-6EFD93E78453", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "4EC1F602-D48C-458A-A063-4050BE3BB25F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*", matchCriteriaId: "F6A1C015-56AD-489C-B301-68CF1DBF1BEF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*", matchCriteriaId: "FD191625-ACE2-46B6-9AAD-12D682C732C2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*", matchCriteriaId: "02C7DB56-267B-4057-A9BA-36D1E58C6282", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*", matchCriteriaId: "AF8F94CF-D504-4165-A69E-3F1198CB162A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "4C068362-0D49-4117-BC96-780AA802CE4E", versionEndIncluding: "3.2.22", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*", matchCriteriaId: "9C8E749B-2908-442A-99F0-91E2772336ED", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*", matchCriteriaId: "9E43D2D7-89AE-4805-9732-F1C601D8D8B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "5F3D8911-060D-435D-ACA2-E29271170CAA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*", matchCriteriaId: "EA7A4939-16CF-450D-846A-75B231E32D61", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*", matchCriteriaId: "C964D4A2-3F39-4CC7-A028-B42C94DDB56F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*", matchCriteriaId: "23FD6D82-9A14-4BD4-AA00-1875F0962ACE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.", }, { lang: "es", value: "El método http_basic_authenticate_with en actionpack/lib/action_controller/metal/http_authentication.rb en la implementación Basic Authentication en Action Controller en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no usa el algoritmo de tiempo constante para verificar credenciales, lo que hace que sea más fácil para atacantes remotos eludir la autenticación mediante la medición de las diferencias de temporización.", }, ], id: "CVE-2015-7576", lastModified: "2024-11-21T02:37:00.807", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.2, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-02-16T02:59:00.110", references: [ { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2016/dsa-3464", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2016/01/25/8", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/81803", }, { source: "secalert@redhat.com", url: "http://www.securitytracker.com/id/1034816", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2016/dsa-3464", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2016/01/25/8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/81803", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1034816", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-254", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-01-13 22:55
Modified
2024-11-21 01:46
Severity ?
Summary
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | ruby_on_rails | * | |
| rubyonrails | ruby_on_rails | * | |
| debian | debian_linux | 6.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", matchCriteriaId: "DF1D9248-14D7-4EA2-B416-D76FBA64E329", versionEndExcluding: "3.2.11", versionStartIncluding: "3.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "BC513BC8-F945-46A9-A63F-22585232DAE8", versionEndExcluding: "3.0.19", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "08C05EBE-B0D8-48F5-8C69-5801000189BA", versionEndExcluding: "3.1.10", versionStartIncluding: "3.1.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "036E8A89-7A16-411F-9D31-676313BB7244", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2660 and CVE-2012-2694.", }, { lang: "es", value: "Ruby on Rails v3.0.x anteior a v3.0.19, v3.1.x anteior a v3.1.10, y v3.2.x anteior a v3.2.11 no considera adecuadamente las diferencias en el manejo de parámetros entre el componente Active Record y la implementación JSON, lo que permite a atacantes remotos evitar las restricciones de peticiones a base de datos y realizar chequeos NULL o provocar un WHERE a través de una consulta manipulada. Como se ha demostrado mdiante determinados valires \"[nil]\". Relacionado con los CVE-2012-2660 y CVE-2012-2694.", }, ], id: "CVE-2013-0155", lastModified: "2024-11-21T01:46:57.407", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-01-13T22:55:00.900", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "US Government Resource", ], url: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://support.apple.com/kb/HT5784", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://www.debian.org/security/2013/dsa-2609", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://puppet.com/security/cve/cve-2013-0155", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://support.apple.com/kb/HT5784", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.debian.org/security/2013/dsa-2609", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://puppet.com/security/cve/cve-2013-0155", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-264", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-08-10 10:34
Modified
2024-11-21 01:40
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.", }, { lang: "es", value: "Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en actionpack/lib/action_view/helpers/form_tag_helper.rb en Ruby on Rails v3.x anterior a v3.0.17, v3.1.x anterior a v3.1.8, y v3.2.x anterior a v3.2.8 permite la administración remota los atacantes para inyectar secuencias de comandos web o HTML a través del campo del sistema para el (helper) select_tag.", }, ], id: "CVE-2012-3463", lastModified: "2024-11-21T01:40:55.700", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2012-08-10T10:34:47.843", references: [ { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "secalert@redhat.com", url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2011-06-30 15:55
Modified
2024-11-21 01:27
Severity ?
Summary
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.", }, { lang: "es", value: "La característica de prevención de secuencias de comandos en sitios cruzados (XSS) de Ruby en Rails v2.x anterior a v2.3.12, v3.0.x anterior a v3.0.8, y v3.1.x anterior a v3.1.0.rc2 no maneja adecuadamente la mutación de búfers seguros, esto facilita a los atacantes remotos provocar ataques XSS a través de cadenas manipuladas de una aplicación que usa un método de cadena problemático, como se ha demostrado con el sub-método.", }, ], id: "CVE-2011-2197", lastModified: "2024-11-21T01:27:47.783", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2011-06-30T15:55:01.910", references: [ { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://openwall.com/lists/oss-security/2011/06/09/2", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://openwall.com/lists/oss-security/2011/06/13/9", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/44789", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://openwall.com/lists/oss-security/2011/06/09/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://openwall.com/lists/oss-security/2011/06/13/9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/44789", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2015-07-26 22:59
Modified
2024-11-21 02:28
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.1.0 | |
| rubyonrails | rails | 3.2.0 | |
| rubyonrails | rails | 3.2.1 | |
| rubyonrails | rails | 3.2.2 | |
| rubyonrails | rails | 3.2.3 | |
| rubyonrails | rails | 3.2.4 | |
| rubyonrails | rails | 3.2.5 | |
| rubyonrails | rails | 3.2.6 | |
| rubyonrails | rails | 3.2.7 | |
| rubyonrails | rails | 3.2.8 | |
| rubyonrails | rails | 3.2.9 | |
| rubyonrails | rails | 3.2.10 | |
| rubyonrails | rails | 3.2.11 | |
| rubyonrails | rails | 3.2.12 | |
| rubyonrails | rails | 3.2.13 | |
| rubyonrails | rails | 3.2.15 | |
| rubyonrails | rails | 3.2.16 | |
| rubyonrails | rails | 3.2.17 | |
| rubyonrails | rails | 4.1.0 | |
| rubyonrails | rails | 4.1.1 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.3 | |
| rubyonrails | rails | 4.1.4 | |
| rubyonrails | rails | 4.1.5 | |
| rubyonrails | rails | 4.1.6 | |
| rubyonrails | rails | 4.1.7 | |
| rubyonrails | rails | 4.1.8 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | ruby_on_rails | 3.2.14 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*", matchCriteriaId: "75842F7D-B1B1-48BA-858F-01148867B3AA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*", matchCriteriaId: "C0406FF0-30F5-40E2-B9B8-FE465D923DE4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*", matchCriteriaId: "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*", matchCriteriaId: "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "0B7A927B-7E18-44B5-9307-E602790F8AB7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", matchCriteriaId: "EAB8D57F-9849-428C-B8E9-D0A1020728BB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", matchCriteriaId: "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", matchCriteriaId: "847B3C3D-8656-404D-A954-09C159EDC8E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", matchCriteriaId: "65CA2D50-B33C-4088-BDDF-EB964C9A092C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", matchCriteriaId: "CADB5989-5260-4F60-ACF2-BEB6D7F97654", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", matchCriteriaId: "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", matchCriteriaId: "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", matchCriteriaId: "59C5B869-74FC-4051-A103-A721332B3CF2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9A68D41F-36A9-4B77-814D-996F4E48FA79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", matchCriteriaId: "83F1142C-3BFB-4B72-A033-81E20DB19D02", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*", matchCriteriaId: "A325F57E-0055-4279-9ED7-A26E75FC38E5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.", }, { lang: "es", value: "Vulnerabilidad XSS en json/encoding.rb en Active Support en Ruby on Rails en las versiones 3.x, 4.1.x anterior a 4.1.11 y 4.2 anterior a 4.2.2, permite a atacantes remotos inyectar código arbitrario HTML o web script a través de un Hash manipulado que no es manejado correctamente durante la codificación JSON.", }, ], id: "CVE-2015-3226", lastModified: "2024-11-21T02:28:56.833", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2015-07-26T22:59:05.133", references: [ { source: "secalert@redhat.com", url: "http://openwall.com/lists/oss-security/2015/06/16/17", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2016/dsa-3464", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/75231", }, { source: "secalert@redhat.com", url: "http://www.securitytracker.com/id/1033755", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2015/06/16/17", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2016/dsa-3464", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/75231", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1033755", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2007-11-21 21:46
Modified
2024-11-21 00:39
Severity ?
Summary
The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*", matchCriteriaId: "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*", matchCriteriaId: "EB938651-C874-4427-AF9B-E9564B258633", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*", matchCriteriaId: "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*", matchCriteriaId: "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*", matchCriteriaId: "897109FF-2C37-458A-91A9-7407F3DFBC99", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*", matchCriteriaId: "289B1633-AAF7-48BE-9A71-0577428EE531", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "B947FD6D-CD0B-44EE-95B5-E513AF244905", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*", matchCriteriaId: "E3666B82-1880-4A43-900F-3656F3FB157A", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C06D18BA-A0AB-461B-B498-2F1759CBF37D", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*", matchCriteriaId: "61EBE7E0-C474-43A7-85E3-093C754A253F", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D7195418-A2E9-43E6-B29F-AEACC317E69E", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*", matchCriteriaId: "39485B13-3C71-4EC6-97CF-6C796650C5B9", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*", matchCriteriaId: "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*", matchCriteriaId: "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*", matchCriteriaId: "62323F62-AD04-4F43-A566-718DDB4149CC", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*", matchCriteriaId: "A8E890B1-4237-4470-939A-4FC489E04520", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "24F3B933-0F68-4F88-999C-0BE48BC88CF6", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "7BFCB88D-D946-4510-8DDC-67C32A606589", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E793287E-2BDA-4012-86F5-886B82510431", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "DF706143-996C-4120-B620-3EDC977568DF", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "43E7F32B-C760-4862-B6DB-C38FB2A9182F", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "FD68A034-73A2-4B1A-95DB-19AD3131F775", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2E78C912-E8FF-495F-B922-43C54D1E2180", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "15B72C17-82C3-4930-9227-226C8E64C2E7", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "FA59F311-B2B4-40EE-A878-64EF9F41581B", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "035B47E9-A395-47D2-9164-A2A2CF878326", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "BDA55D29-C830-45EF-A3B3-BFA9EED88F38", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "0A9356A6-D32A-487C-B743-1DA0D6C42FA6", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "2B3C7616-8631-49AC-979C-4347067059AF", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*", matchCriteriaId: "EC487B78-AAEA-4F0E-8C8B-F415013A381E", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "04FDC63D-6ED7-48AE-9D72-6419F54D4B84", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*", matchCriteriaId: "DBF12B2F-39D9-48D5-9620-DF378D199295", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*", matchCriteriaId: "22E1EAAF-7B49-498B-BFEB-357173824F4B", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*", matchCriteriaId: "1B9AD626-0AFA-4873-A701-C7716193A69C", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*", matchCriteriaId: "986D2B30-FF07-498B-A5E0-A77BAB402619", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*", matchCriteriaId: "A0E3141A-162C-4674-BD7B-E1539BAA0B7B", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "86E73F12-0551-42D2-ACC3-223C98B69C7E", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*", matchCriteriaId: "D6BA0659-2287-4E95-B30D-2441CD96DA90", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*", matchCriteriaId: "B01A4699-32D3-459E-B731-4240C8157F71", vulnerable: false, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: false, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.", }, { lang: "es", value: "El mecanismo de protección de fijación de sesión en el archivo cgi_process.rb en Rails versión 1.2.4, como es usado en Ruby on Rails, elimina el atributo :cookie_only de la constante DEFAULT_SESSION_OPTIONS, lo que causa efectivamente que cookie_only se aplique solo a la primera instancia de CgiRequest, lo que permite a atacantes remotos conducir ataques de fijación de sesión. NOTA: esto es debido a una corrección incompleta para el CVE-2007-5380.", }, ], id: "CVE-2007-6077", lastModified: "2024-11-21T00:39:18.210", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: true, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2007-11-21T21:46:00.000", references: [ { source: "cve@mitre.org", url: "http://dev.rubyonrails.org/changeset/8177", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://dev.rubyonrails.org/ticket/10048", }, { source: "cve@mitre.org", url: "http://docs.info.apple.com/article.html?artnum=307179", }, { source: "cve@mitre.org", url: "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/27781", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/28136", }, { source: "cve@mitre.org", url: "http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/26598", }, { source: "cve@mitre.org", tags: [ "US Government Resource", ], url: "http://www.us-cert.gov/cas/techalerts/TA07-352A.html", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2007/4009", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2007/4238", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://dev.rubyonrails.org/changeset/8177", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://dev.rubyonrails.org/ticket/10048", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://docs.info.apple.com/article.html?artnum=307179", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/27781", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/28136", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/26598", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "US Government Resource", ], url: "http://www.us-cert.gov/cas/techalerts/TA07-352A.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2007/4009", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2007/4238", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-362", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2024-11-21 01:29
Severity ?
Summary
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "50EEAFDA-7782-4E1E-9058-205AD4BE9A01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "CAC748BB-BFC5-44F7-B633-CEEBB1279889", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "38CF2C31-70BB-41D3-9462-0A8B9869A5F0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F8584B37-7950-4C89-83D2-04E1ACDC60BF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "EF12EA5D-5EB5-46A8-AC60-65B327D610AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "87B4B121-94BD-4E0F-8860-6239890043B9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "63CF211C-683E-4F7D-8C62-05B153AC1960", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "456A2F7E-CC66-48C4-B028-353D2976837A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F9806A84-2160-40EA-9960-AE7756CE4E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "07EC67D4-3D0F-4FF9-8197-71175DCB2723", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "D1467583-23E9-4E2B-982D-80A356174BB6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "4DC784C0-5618-4C32-8C17-BE7041656E14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*", matchCriteriaId: "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*", matchCriteriaId: "3B38EAA4-E948-45A7-B6E5-7214F2B545E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*", matchCriteriaId: "6ECC8C49-5A46-4D23-81F9-8243F5D508DB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*", matchCriteriaId: "312848C5-BA35-4A48-B66D-195A5E1CD00F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.", }, { lang: "es", value: "Múltiples vulnerabilidades de inyección SQL en el método quote_table_name en el adaptador ActiveRecord de activerecord/lib/active_record/connection_adapters/ in Ruby on Rails antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5, permite a atacantes remotos ejecutar comandos SQL de su elección a través de un nombre de columna modificado.", }, ], id: "CVE-2011-2930", lastModified: "2024-11-21T01:29:17.973", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2011-08-29T18:55:01.457", references: [ { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2011/dsa-2301", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731438", }, { source: "secalert@redhat.com", tags: [ "Patch", ], url: "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2011/dsa-2301", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731438", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-09-07 19:28
Modified
2024-11-21 02:55
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.12:*:*:*:*:*:*:*", matchCriteriaId: "11F211A0-AC69-482A-B659-AEE7BE4E4CD6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:rc1:*:*:*:*:*:*", matchCriteriaId: "42232305-7D62-4692-81CC-B7E9CE642372", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:rc1:*:*:*:*:*:*", matchCriteriaId: "DD2818D7-5006-4486-AE55-47B63C8F114B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:rc2:*:*:*:*:*:*", matchCriteriaId: "83EF40E0-1C62-415A-892B-C071B109D924", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:rc1:*:*:*:*:*:*", matchCriteriaId: "22D707A0-7CA9-4CED-8DBA-1B50B57EDB2B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:rc2:*:*:*:*:*:*", matchCriteriaId: "0C3CADF8-3316-4514-9A70-AD3DF16B19E1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:rc3:*:*:*:*:*:*", matchCriteriaId: "D0D4AF31-A47B-4BE3-A99B-9A0EB7C53D20", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*", matchCriteriaId: "75842F7D-B1B1-48BA-858F-01148867B3AA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*", matchCriteriaId: "C0406FF0-30F5-40E2-B9B8-FE465D923DE4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*", matchCriteriaId: "6646610D-279B-4AEC-B445-981E7784EE5B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*", matchCriteriaId: "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*", matchCriteriaId: "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*", matchCriteriaId: "A499584B-6E2E-42F3-B0CE-DA7BDD732897", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.21:*:*:*:*:*:*:*", matchCriteriaId: "AE982FFD-D30F-4872-9C36-74DE50405B18", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.22.2:*:*:*:*:*:*:*", matchCriteriaId: "EA770BE3-DD37-45C9-9E6D-8D3407D1A5D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", matchCriteriaId: "254884EE-EBA4-45D0-9704-B5CB22569668", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", matchCriteriaId: "5C913A56-959D-44F1-BD89-D246C66D1F09", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5D5BA926-38EE-47BE-9D16-FDCF360A503B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", matchCriteriaId: "18EA25F1-279A-4F1A-883D-C064369F592E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "FD794856-6F30-4ABF-8AE4-720BB75E6F89", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", matchCriteriaId: "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", matchCriteriaId: "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", matchCriteriaId: "767C481D-6616-4CA9-9A9B-C994D9121796", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", matchCriteriaId: "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "CA46B621-125E-497F-B2DE-91C989B25936", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B3239443-2E19-4540-BA0C-05A27E44CB6C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", matchCriteriaId: "104AC9CF-6611-4469-9852-7FDAF4EC7638", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", matchCriteriaId: "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", matchCriteriaId: "A462C151-982E-4A83-A376-025015F40645", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*", matchCriteriaId: "660C2AD2-CEC8-4391-84AF-27515A88B29E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "578CC013-776B-4868-B448-B7ACAF3AF832", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", matchCriteriaId: "C310EA3E-399A-48FD-8DE9-6950E328CF23", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "293B2998-5169-4960-BEC4-21DAC837E32B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*", matchCriteriaId: "FB42A8E7-D273-4CE2-9182-D831D8089BFA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "DB757DFD-BF47-4483-A2C0-DF37F7D10989", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6C375F2-5027-4B55-9112-C5DD2F787E43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", matchCriteriaId: "EAB8D57F-9849-428C-B8E9-D0A1020728BB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", matchCriteriaId: "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "0965BDB6-9644-465C-AA32-9278B2D53197", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", matchCriteriaId: "072EB16D-1325-4869-B156-65E786A834C7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", matchCriteriaId: "847B3C3D-8656-404D-A954-09C159EDC8E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", matchCriteriaId: "65CA2D50-B33C-4088-BDDF-EB964C9A092C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", matchCriteriaId: "CADB5989-5260-4F60-ACF2-BEB6D7F97654", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", matchCriteriaId: "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", matchCriteriaId: "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B86E26CB-2376-4EBC-913C-B354E2D6711B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", matchCriteriaId: "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*", matchCriteriaId: "D5150753-E86D-4859-A046-97B83EAE2C14", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", matchCriteriaId: "59C5B869-74FC-4051-A103-A721332B3CF2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*", matchCriteriaId: "7C31EBD2-CD2D-4D38-AA51-A5A56487939A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*", matchCriteriaId: "F11E9791-7BCE-43E5-A4BA-6449623FE4F9", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*", matchCriteriaId: "33FBD4E4-0BCD-49E1-BA84-86621B7C4556", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*", matchCriteriaId: "CE521626-2876-455C-9D99-DB74726DC724", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*", matchCriteriaId: "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*", matchCriteriaId: "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*", matchCriteriaId: "16D3B0EA-49F7-401A-A1D9-437429D33EAD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*", matchCriteriaId: "83D1EB17-EE67-48E5-B637-AA9A75D397F6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*", matchCriteriaId: "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*", matchCriteriaId: "A2B1711A-5541-412C-A5A0-274CEAB9E387", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FCB08CD7-E9B9-454F-BAF7-96162D177677", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*", matchCriteriaId: "C3AF00C3-93D9-4284-BCB9-40E42CB8386E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*", matchCriteriaId: "0D3DA0B4-E374-4ED4-8C3B-F723C968666F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*", matchCriteriaId: "B1730A9A-6810-4470-AE6C-A5356D5BFF43", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.14.2:*:*:*:*:*:*:*", matchCriteriaId: "AE4B688E-8638-4539-961D-4FDCBEB4B1C5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.15:*:*:*:*:*:*:*", matchCriteriaId: "5D0346BB-9180-4FE5-AA35-DC466675ED5D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.15:rc1:*:*:*:*:*:*", matchCriteriaId: "2D6DD9BF-F174-4BE3-9910-BDE3658DC36E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.16:*:*:*:*:*:*:*", matchCriteriaId: "40B79E40-75CB-4EBB-8A4B-AF41AED2AE1E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.16:rc1:*:*:*:*:*:*", matchCriteriaId: "89B4DCF6-1A21-4B91-ACB4-7DE05487C497", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9A68D41F-36A9-4B77-814D-996F4E48FA79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", matchCriteriaId: "709A19A5-8FD1-4F9C-A38C-F06242A94D68", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", matchCriteriaId: "8104482C-E8F5-40A7-8B27-234FEF725FD0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", matchCriteriaId: "2CFF8677-EA00-4F7E-BFF9-272482206DB5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*", matchCriteriaId: "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "85435026-9855-4BF4-A436-832628B005FD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56C2308F-A590-47B0-9791-7865D189196F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*", matchCriteriaId: "9A266882-DABA-4A4C-88E6-60E993EE0947", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", matchCriteriaId: "83F1142C-3BFB-4B72-A033-81E20DB19D02", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*", matchCriteriaId: "1FA738A1-227B-4665-B65E-666883FFAE96", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*", matchCriteriaId: "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*", matchCriteriaId: "10789A2D-6401-4119-BFBE-2EE4C16216D3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*", matchCriteriaId: "70ABD462-7142-4831-8EB6-801EC1D05573", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*", matchCriteriaId: "81D717DB-7C80-48AA-A774-E291D2E75D6E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*", matchCriteriaId: "06B357FB-0307-4EFA-9C5B-3C2CDEA48584", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "E4BD8840-0F1C-49D3-B843-9CFE64948018", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*", matchCriteriaId: "79D5B492-43F9-470F-BD21-6EFD93E78453", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "4EC1F602-D48C-458A-A063-4050BE3BB25F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*", matchCriteriaId: "F6A1C015-56AD-489C-B301-68CF1DBF1BEF", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*", matchCriteriaId: "FD191625-ACE2-46B6-9AAD-12D682C732C2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*", matchCriteriaId: "02C7DB56-267B-4057-A9BA-36D1E58C6282", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*", matchCriteriaId: "EC163D49-691B-4125-A983-6CF6F6D86DEE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*", matchCriteriaId: "68B537D1-1584-4D15-9C75-08ED4D45DC3A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.6:*:*:*:*:*:*:*", matchCriteriaId: "6A19315C-9A9D-45FE-81C8-074744825B98", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*", matchCriteriaId: "1E3B4233-E117-4E77-A60D-3DFD5073154D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.7:*:*:*:*:*:*:*", matchCriteriaId: "392CF25B-8400-4185-863F-D6353B664FB2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.7:rc1:*:*:*:*:*:*", matchCriteriaId: "3037282A-863A-4C92-A40C-4D436D2621C1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*", matchCriteriaId: "AF8F94CF-D504-4165-A69E-3F1198CB162A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*", matchCriteriaId: "C8C25977-AB6C-45E1-8956-871EB31B36BA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "5F0AB6B0-3506-4332-A183-309FAC4882CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "F844FB25-6E27-412F-8394-A7FB15AC1191", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "A4E608ED-F4AB-4F29-B34E-2841A59580A6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:5.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "6320DD44-7D7E-4075-A865-BEAFF86FDA9D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*", matchCriteriaId: "A325F57E-0055-4279-9ED7-A26E75FC38E5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*", matchCriteriaId: "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*", matchCriteriaId: "991F368C-CEB5-4DE6-A7EE-C341F358A4CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*", matchCriteriaId: "01DB164E-E08E-4649-84BD-15B4159A3AA0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*", matchCriteriaId: "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*", matchCriteriaId: "69702127-AB96-4FE0-9AC4-FBE7B8CA77E5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.20:*:*:*:*:*:*:*", matchCriteriaId: "48D71F7B-CF93-41D4-A824-51CB11F08692", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.22:*:*:*:*:*:*:*", matchCriteriaId: "60CE659B-DF49-477B-8879-C33823F6527F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.22.1:*:*:*:*:*:*:*", matchCriteriaId: "7EF68196-7C9E-40FE-868D-C42FF82D52EE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*", matchCriteriaId: "9C8E749B-2908-442A-99F0-91E2772336ED", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*", matchCriteriaId: "9E43D2D7-89AE-4805-9732-F1C601D8D8B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*", matchCriteriaId: "5F3D8911-060D-435D-ACA2-E29271170CAA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*", matchCriteriaId: "EA7A4939-16CF-450D-846A-75B231E32D61", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*", matchCriteriaId: "C964D4A2-3F39-4CC7-A028-B42C94DDB56F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*", matchCriteriaId: "23FD6D82-9A14-4BD4-AA00-1875F0962ACE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*", matchCriteriaId: "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:5.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E971CF9D-B807-4A74-81EB-D7CB4E5B8099", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:5.0.0:racecar1:*:*:*:*:*:*", matchCriteriaId: "0B31291C-CBB5-4E51-B0AC-4144E8BAD65B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as \"HTML safe\" and used as attribute values in tag handlers.", }, { lang: "es", value: "Vulnerabilidad de XSS en Action View en Ruby en Rails 3.x en versiones anteriores a 3.2.22.3, 4.x en versiones anteriores a 4.2.7.1 y 5.x en versiones anteriores a 5.0.0.1 podría permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de texto declarado como \"HTML safe\" y utilizado como valores de atributos en los manejadores de etiquetas.", }, ], id: "CVE-2016-6316", lastModified: "2024-11-21T02:55:53.280", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-09-07T19:28:10.067", references: [ { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2016-1855.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2016-1856.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2016-1857.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2016-1858.html", }, { source: "secalert@redhat.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://www.debian.org/security/2016/dsa-3651", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2016/08/11/3", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/92430", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2016-6316", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2016-1855.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2016-1856.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2016-1857.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2016-1858.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.debian.org/security/2016/dsa-3651", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2016/08/11/3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/92430", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2016-6316", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-02-20 15:27
Modified
2024-11-21 02:01
Severity ?
Summary
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B13A8EBB-4211-4AB1-8872-244EEEE20ABD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*", matchCriteriaId: "75842F7D-B1B1-48BA-858F-01148867B3AA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*", matchCriteriaId: "C0406FF0-30F5-40E2-B9B8-FE465D923DE4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*", matchCriteriaId: "6646610D-279B-4AEC-B445-981E7784EE5B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", matchCriteriaId: "005A14B0-1621-4A0C-A990-2B8B59C199B3", versionEndIncluding: "3.2.16", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*", matchCriteriaId: "A325F57E-0055-4279-9ED7-A26E75FC38E5", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*", matchCriteriaId: "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*", matchCriteriaId: "991F368C-CEB5-4DE6-A7EE-C341F358A4CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*", matchCriteriaId: "01DB164E-E08E-4649-84BD-15B4159A3AA0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*", matchCriteriaId: "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.", }, { lang: "es", value: "actionpack/lib/action_view/template/text.rb en Action View en Ruby on Rails 3.x anterior a 3.2.17 convierte cadenas tipo MIME a símbolos durante el uso de la opción :text al método render, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria) mediante la inclusión de estas cadenas en cabeceras.", }, ], id: "CVE-2014-0082", lastModified: "2024-11-21T02:01:19.423", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-02-20T15:27:09.170", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { source: "secalert@redhat.com", url: "http://openwall.com/lists/oss-security/2014/02/18/10", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/57376", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/57836", }, { source: "secalert@redhat.com", url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2014-0082", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2014/02/18/10", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/57376", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/57836", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2014-0082", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-11-08 11:55
Modified
2024-11-21 02:18
Severity ?
Summary
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E3BE7DFE-BA20-434B-A1DE-AD038B255C60", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "DCEE5B21-C990-4705-8239-0D7B29DAEDA1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "65EE33B1-B079-4CDE-B9C2-F1613A4610DC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "5CAAA20B-824F-4448-99DC-9712FE628073", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", matchCriteriaId: "D2BEBDFB-0F30-454A-B74C-F820C9D2708B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*", matchCriteriaId: "1D7CD8C1-95D1-477E-AD96-6582EC33BA01", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9476CE55-69C0-45D3-B723-6F459C90BF05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", matchCriteriaId: "486F5BA6-BCF7-4691-9754-19D364B4438D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", matchCriteriaId: "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "D26565B1-2BA6-4A3C-9264-7FC9A1820B59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", matchCriteriaId: "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", matchCriteriaId: "392E2D58-CB39-4832-B4D9-9C2E23B8E14C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", matchCriteriaId: "1F2466EA-7039-46A1-B4A3-8DACD1953A59", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", matchCriteriaId: "0CAB4E72-0A15-4B26-9B69-074C278568D6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "A085E105-9375-440A-80CB-9B23E6D7EB4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "25911E48-C5D7-4ED8-B4DB-7523A74CCF49", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", matchCriteriaId: "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", matchCriteriaId: "B29674E3-CC80-446B-9A43-82594AE7A058", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", matchCriteriaId: "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", matchCriteriaId: "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", matchCriteriaId: "272268EE-E3E8-4683-B679-55D748877A7E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", matchCriteriaId: "7B69FD33-61FE-4F10-BBE1-215F59035D30", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", matchCriteriaId: "08D7CB5D-82EF-4A24-A792-938FAB40863D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", matchCriteriaId: "8A044B21-47D5-468D-AF4A-06B3B5CC0824", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", matchCriteriaId: "2196F3D0-532A-40F9-843A-1DFBC8B63FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", matchCriteriaId: "CBEDA932-6CB5-438C-94E4-824732A91BE0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", matchCriteriaId: "903E5524-5E45-48CE-A804-EDAEBE3A79AD", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", matchCriteriaId: "08534AF2-F94E-4FB6-A572-4FB9827276D4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", matchCriteriaId: "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", matchCriteriaId: "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", matchCriteriaId: "1F07C641-48DF-43BE-9EB5-72B337C54846", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "A1CB1B12-99F5-430F-AE19-9A95C17FA123", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", matchCriteriaId: "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", matchCriteriaId: "05D5D58C-DB79-41EA-81AE-5D95C48211B0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", matchCriteriaId: "FE331D6D-99BA-4369-AD8B-B556DEE4955F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*", matchCriteriaId: "58304E17-ADFD-4686-9CCF-C1CA31843B94", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", matchCriteriaId: "05108EF0-81AD-4378-9843-5C23F2AC79A3", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*", matchCriteriaId: "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*", matchCriteriaId: "0C448F62-8231-4221-ADA0-C9B848AE03D1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*", matchCriteriaId: "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*", matchCriteriaId: "60255706-C44A-48CB-B98B-A1F0991CBC74", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*", matchCriteriaId: "0456E2E8-EF06-414E-8A7D-8005F0EB46B7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*", matchCriteriaId: "D9EE4763-2495-4B6A-B72F-344967E51C27", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F884F2F4-94F3-46CB-860B-1BCC0EEF408A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "88DFBB48-1C29-4639-9369-F5B413CA2337", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "D37696D7-BEE6-4587-9E33-A7FE24780409", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", matchCriteriaId: "D3172982-3FA4-427F-BE3E-2321D804E49D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", matchCriteriaId: "FD6EC85B-F092-48FF-966A-96B9227C8656", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", matchCriteriaId: "9000F3C1-57A0-474C-9C82-E58688F29838", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", matchCriteriaId: "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A42F4E7A-6F6A-485C-8D30-95F3B0285922", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "30B9C0CB-F6E6-4233-84E4-D6E69104DD73", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5343241F-274D-45FF-97C7-2BC2E920BAF0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", matchCriteriaId: "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "3E50ACF6-7277-4C9A-B42A-E7EFDC317691", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C191DC2B-1EC3-48E0-A586-867E6EE4431C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", matchCriteriaId: "3AA51263-6680-42C6-B119-8241D6F76206", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", matchCriteriaId: "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", matchCriteriaId: "09C20971-53B5-43B0-AC45-5AA0FDF1B054", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", matchCriteriaId: "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*", matchCriteriaId: "496902D6-409A-40D9-849F-C41264BE5B04", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*", matchCriteriaId: "2482AB3F-8303-4F95-BE04-C5F06EEF2015", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*", matchCriteriaId: "244C6952-377C-4AF0-8BA2-C34516A3EB5A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*", matchCriteriaId: "98A79CC5-71EC-4E90-9E99-2DF62ABC0122", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*", matchCriteriaId: "6562F3C3-D794-4107-95D4-1C0B0486940B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "2816C02C-E13E-4367-91F3-14756A90EC9E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", matchCriteriaId: "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", matchCriteriaId: "1AE674DE-65DB-437E-A034-A2EE5C584B33", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", matchCriteriaId: "32EB2C3F-0F24-43DB-988E-BD2973598F71", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", matchCriteriaId: "EB32713D-FE64-445E-872E-B4678C243AB1", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", matchCriteriaId: "89C618DC-38BC-4484-8C41-BC38B7EB636B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", matchCriteriaId: "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", matchCriteriaId: "0E376782-98B0-4766-B6FC-67E032A00C62", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", matchCriteriaId: "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*", matchCriteriaId: "F365C9E5-27DC-46C3-AFE4-4876EC7B352B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*", matchCriteriaId: "6F0016A6-0ED6-443D-B969-CB1226D8E28C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*", matchCriteriaId: "E69470EA-5EBC-4FB9-A722-5B61C70C1140", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*", matchCriteriaId: "C9AB2152-DED8-4CFD-B915-94A9F56FDD05", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*", matchCriteriaId: "C630AB60-DBAF-421E-B663-492BAE8A180F", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*", matchCriteriaId: "0F41CCF8-14EB-4327-A675-83BFDBB53196", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*", matchCriteriaId: "FE65D701-AA6E-48E4-B62B-C22DEE863503", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*", matchCriteriaId: "17B1E475-C873-4561-9348-027721C08D79", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*", matchCriteriaId: "6646610D-279B-4AEC-B445-981E7784EE5B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*", matchCriteriaId: "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*", matchCriteriaId: "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*", matchCriteriaId: "A499584B-6E2E-42F3-B0CE-DA7BDD732897", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", matchCriteriaId: "2E950E33-CD03-45F5-83F9-F106060B4A8B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", matchCriteriaId: "547C62C8-4B3E-431B-AA73-5C42ED884671", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "4CDAD329-35F7-4C82-8019-A0CF6D069059", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "56D3858B-0FEE-4E8D-83C2-68AF0431F478", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", matchCriteriaId: "254884EE-EBA4-45D0-9704-B5CB22569668", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", matchCriteriaId: "35FC7015-267C-403B-A23D-EDA6223D2104", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", matchCriteriaId: "5C913A56-959D-44F1-BD89-D246C66D1F09", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", matchCriteriaId: "5D5BA926-38EE-47BE-9D16-FDCF360A503B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", matchCriteriaId: "18EA25F1-279A-4F1A-883D-C064369F592E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "FD794856-6F30-4ABF-8AE4-720BB75E6F89", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", matchCriteriaId: "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", matchCriteriaId: "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", matchCriteriaId: "767C481D-6616-4CA9-9A9B-C994D9121796", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", matchCriteriaId: "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", matchCriteriaId: "CA46B621-125E-497F-B2DE-91C989B25936", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", matchCriteriaId: "B3239443-2E19-4540-BA0C-05A27E44CB6C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", matchCriteriaId: "104AC9CF-6611-4469-9852-7FDAF4EC7638", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", matchCriteriaId: "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", matchCriteriaId: "A462C151-982E-4A83-A376-025015F40645", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*", matchCriteriaId: "660C2AD2-CEC8-4391-84AF-27515A88B29E", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", matchCriteriaId: "578CC013-776B-4868-B448-B7ACAF3AF832", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", matchCriteriaId: "C310EA3E-399A-48FD-8DE9-6950E328CF23", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "293B2998-5169-4960-BEC4-21DAC837E32B", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", matchCriteriaId: "EAB8D57F-9849-428C-B8E9-D0A1020728BB", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", matchCriteriaId: "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", matchCriteriaId: "0965BDB6-9644-465C-AA32-9278B2D53197", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", matchCriteriaId: "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", matchCriteriaId: "072EB16D-1325-4869-B156-65E786A834C7", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", matchCriteriaId: "847B3C3D-8656-404D-A954-09C159EDC8E2", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", matchCriteriaId: "65CA2D50-B33C-4088-BDDF-EB964C9A092C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", matchCriteriaId: "CADB5989-5260-4F60-ACF2-BEB6D7F97654", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", matchCriteriaId: "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", matchCriteriaId: "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", matchCriteriaId: "709A19A5-8FD1-4F9C-A38C-F06242A94D68", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", matchCriteriaId: "8104482C-E8F5-40A7-8B27-234FEF725FD0", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", matchCriteriaId: "224BD488-0D7E-4F8B-9012-DE872DEB544C", vulnerable: true, }, { criteria: "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*", matchCriteriaId: "69702127-AB96-4FE0-9AC4-FBE7B8CA77E5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", matchCriteriaId: "DFBF430B-0832-44B0-AA0E-BA9E467F7668", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", matchCriteriaId: "A10BC294-9196-425F-9FB0-B1625465B47F", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", matchCriteriaId: "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.", }, { lang: "es", value: "Vulnerabilidad de salto de directorio en actionpack/lib/action_dispatch/middleware/static.rb en Action Pack en Ruby on Rails 3.x anterior a 3.2.20, 4.0.x anterior a 4.0.11, 4.1.x anterior a 4.1.7, y 4.2.x anterior a 4.2.0.beta3, cuando serve_static_assets está habilitado, permite a atacantes remotos determinar la existencia de ficheros fuera del root de la aplicación a través de una secuencia /..%2F.", }, ], id: "CVE-2014-7818", lastModified: "2024-11-21T02:18:04.337", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-11-08T11:55:02.977", references: [ { source: "secalert@redhat.com", url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { source: "secalert@redhat.com", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ", }, { source: "secalert@redhat.com", url: "https://puppet.com/security/cve/cve-2014-7829", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://puppet.com/security/cve/cve-2014-7829", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2013-0333
Vulnerability from cvelistv5
Published
2013-01-30 11:00
Modified
2024-08-06 14:25
Severity ?
EPSS score ?
Summary
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.kb.cert.org/vuls/id/628463 | third-party-advisory, x_refsource_CERT-VN | |
| http://www.debian.org/security/2013/dsa-2613 | vendor-advisory, x_refsource_DEBIAN | |
| http://support.apple.com/kb/HT5784 | x_refsource_CONFIRM | |
| http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html | vendor-advisory, x_refsource_APPLE | |
| http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html | vendor-advisory, x_refsource_APPLE | |
| https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2013-0201.html | vendor-advisory, x_refsource_REDHAT | |
| http://rhn.redhat.com/errata/RHSA-2013-0202.html | vendor-advisory, x_refsource_REDHAT | |
| https://puppet.com/security/cve/cve-2013-0333 | x_refsource_CONFIRM | |
| http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/ | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2013-0203.html | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T14:25:09.069Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "VU#628463", tags: [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred", ], url: "http://www.kb.cert.org/vuls/id/628463", }, { name: "DSA-2613", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2013/dsa-2613", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://support.apple.com/kb/HT5784", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "APPLE-SA-2013-03-14-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html", }, { name: "[rubyonrails-security] 20130129 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain", }, { name: "RHSA-2013:0201", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0201.html", }, { name: "RHSA-2013:0202", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0202.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2013-0333", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/", }, { name: "RHSA-2013:0203", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0203.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-01-29T00:00:00", descriptions: [ { lang: "en", value: "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "VU#628463", tags: [ "third-party-advisory", "x_refsource_CERT-VN", ], url: "http://www.kb.cert.org/vuls/id/628463", }, { name: "DSA-2613", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2013/dsa-2613", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://support.apple.com/kb/HT5784", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "APPLE-SA-2013-03-14-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html", }, { name: "[rubyonrails-security] 20130129 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain", }, { name: "RHSA-2013:0201", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0201.html", }, { name: "RHSA-2013:0202", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0202.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2013-0333", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/", }, { name: "RHSA-2013:0203", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0203.html", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-0333", datePublished: "2013-01-30T11:00:00", dateReserved: "2012-12-06T00:00:00", dateUpdated: "2024-08-06T14:25:09.069Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-1856
Vulnerability from cvelistv5
Published
2013-03-19 22:00
Modified
2024-08-06 15:20
Severity ?
EPSS score ?
Summary
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html | vendor-advisory, x_refsource_APPLE | |
| http://support.apple.com/kb/HT5784 | x_refsource_CONFIRM | |
| http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html | vendor-advisory, x_refsource_APPLE | |
| https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T15:20:35.152Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "APPLE-SA-2013-10-22-5", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://support.apple.com/kb/HT5784", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "[rubyonrails-security] 20130318 [CVE-2013-1856] XML Parsing Vulnerability affecting JRuby users", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-03-18T00:00:00", descriptions: [ { lang: "en", value: "The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2013-03-22T09:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "APPLE-SA-2013-10-22-5", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://support.apple.com/kb/HT5784", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "[rubyonrails-security] 20130318 [CVE-2013-1856] XML Parsing Vulnerability affecting JRuby users", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-1856", datePublished: "2013-03-19T22:00:00", dateReserved: "2013-02-19T00:00:00", dateUpdated: "2024-08-06T15:20:35.152Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17920
Vulnerability from cvelistv5
Published
2017-12-29 16:00
Modified
2024-08-05 21:06
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
References
| ▼ | URL | Tags |
|---|---|---|
| https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T21:06:49.547Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-27T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-01T17:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, ], tags: [ "disputed", ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17920", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "** DISPUTED ** SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", refsource: "MISC", url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17920", datePublished: "2017-12-29T16:00:00", dateReserved: "2017-12-26T00:00:00", dateUpdated: "2024-08-05T21:06:49.547Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2009-4214
Vulnerability from cvelistv5
Published
2009-12-07 17:00
Modified
2024-08-07 06:54
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T06:54:09.938Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[rubyonrails-security] 20091127 XSS Weakness in strip_tags", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1", }, { name: "37446", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/37446", }, { name: "ADV-2009-3352", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2009/3352", }, { name: "DSA-2301", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2011/dsa-2301", }, { name: "APPLE-SA-2010-03-29-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released", }, { name: "37142", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/37142", }, { name: "DSA-2260", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2011/dsa-2260", }, { name: "[oss-security] 20091127 CVE request: ruby on rails XSS Weakness in strip_tags", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2009/11/27/2", }, { name: "SUSE-SR:2010:006", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://support.apple.com/kb/HT4077", }, { name: "1023245", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id?1023245", }, { name: "38915", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/38915", }, { name: "[oss-security] 20091208 Re: CVE request: ruby on rails XSS Weakness in strip_tags", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2009/12/08/3", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2009-11-27T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2009-12-17T10:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "[rubyonrails-security] 20091127 XSS Weakness in strip_tags", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1", }, { name: "37446", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/37446", }, { name: "ADV-2009-3352", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2009/3352", }, { name: "DSA-2301", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2011/dsa-2301", }, { name: "APPLE-SA-2010-03-29-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released", }, { name: "37142", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/37142", }, { name: "DSA-2260", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2011/dsa-2260", }, { name: "[oss-security] 20091127 CVE request: ruby on rails XSS Weakness in strip_tags", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2009/11/27/2", }, { name: "SUSE-SR:2010:006", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://support.apple.com/kb/HT4077", }, { name: "1023245", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id?1023245", }, { name: "38915", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/38915", }, { name: "[oss-security] 20091208 Re: CVE request: ruby on rails XSS Weakness in strip_tags", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2009/12/08/3", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2009-4214", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[rubyonrails-security] 20091127 XSS Weakness in strip_tags", refsource: "MLIST", url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1", }, { name: "37446", refsource: "SECUNIA", url: "http://secunia.com/advisories/37446", }, { name: "ADV-2009-3352", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2009/3352", }, { name: "DSA-2301", refsource: "DEBIAN", url: "http://www.debian.org/security/2011/dsa-2301", }, { name: "APPLE-SA-2010-03-29-1", refsource: "APPLE", url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { name: "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released", }, { name: "37142", refsource: "BID", url: "http://www.securityfocus.com/bid/37142", }, { name: "DSA-2260", refsource: "DEBIAN", url: "http://www.debian.org/security/2011/dsa-2260", }, { name: "[oss-security] 20091127 CVE request: ruby on rails XSS Weakness in strip_tags", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2009/11/27/2", }, { name: "SUSE-SR:2010:006", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html", }, { name: "http://support.apple.com/kb/HT4077", refsource: "CONFIRM", url: "http://support.apple.com/kb/HT4077", }, { name: "1023245", refsource: "SECTRACK", url: "http://www.securitytracker.com/id?1023245", }, { name: "38915", refsource: "SECUNIA", url: "http://secunia.com/advisories/38915", }, { name: "[oss-security] 20091208 Re: CVE request: ruby on rails XSS Weakness in strip_tags", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2009/12/08/3", }, { name: "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5", refsource: "CONFIRM", url: "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2009-4214", datePublished: "2009-12-07T17:00:00", dateReserved: "2009-12-07T00:00:00", dateUpdated: "2024-08-07T06:54:09.938Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-3226
Vulnerability from cvelistv5
Published
2015-07-26 22:00
Modified
2024-08-06 05:39
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securitytracker.com/id/1033755 | vdb-entry, x_refsource_SECTRACK | |
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/75231 | vdb-entry, x_refsource_BID | |
| http://openwall.com/lists/oss-security/2015/06/16/17 | mailing-list, x_refsource_MLIST | |
| http://www.debian.org/security/2016/dsa-3464 | vendor-advisory, x_refsource_DEBIAN |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T05:39:32.141Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "1033755", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1033755", }, { name: "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ", }, { name: "75231", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/75231", }, { name: "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2015/06/16/17", }, { name: "DSA-3464", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2016/dsa-3464", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-06-16T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-09-15T09:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "1033755", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1033755", }, { name: "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ", }, { name: "75231", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/75231", }, { name: "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2015/06/16/17", }, { name: "DSA-3464", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2016/dsa-3464", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-3226", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "1033755", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1033755", }, { name: "[rubyonrails-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ", }, { name: "75231", refsource: "BID", url: "http://www.securityfocus.com/bid/75231", }, { name: "[oss-security] 20150616 [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2015/06/16/17", }, { name: "DSA-3464", refsource: "DEBIAN", url: "http://www.debian.org/security/2016/dsa-3464", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2015-3226", datePublished: "2015-07-26T22:00:00", dateReserved: "2015-04-10T00:00:00", dateUpdated: "2024-08-06T05:39:32.141Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17919
Vulnerability from cvelistv5
Published
2017-12-29 16:00
Modified
2024-08-05 21:06
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
References
| ▼ | URL | Tags |
|---|---|---|
| https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | x_refsource_MISC |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "ruby_on_rails", vendor: "rubyonrails", versions: [ { status: "affected", version: "*", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2017-17919", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-04-23T15:16:52.640372Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-04T17:11:55.128Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-05T21:06:49.394Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-27T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-01T17:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, ], tags: [ "disputed", ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17919", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "** DISPUTED ** SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", refsource: "MISC", url: "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17919", datePublished: "2017-12-29T16:00:00", dateReserved: "2017-12-26T00:00:00", dateUpdated: "2024-08-05T21:06:49.394Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-0081
Vulnerability from cvelistv5
Published
2014-02-20 11:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-0215.html | vendor-advisory, x_refsource_REDHAT | |
| http://rhn.redhat.com/errata/RHSA-2014-0306.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/65647 | vdb-entry, x_refsource_BID | |
| http://www.securitytracker.com/id/1029782 | vdb-entry, x_refsource_SECTRACK | |
| http://openwall.com/lists/oss-security/2014/02/18/8 | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html | vendor-advisory, x_refsource_SUSE | |
| http://secunia.com/advisories/57376 | third-party-advisory, x_refsource_SECUNIA | |
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T09:05:38.984Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2014:0215", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { name: "RHSA-2014:0306", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { name: "65647", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/65647", }, { name: "1029782", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1029782", }, { name: "[oss-security] 20140218 XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human (CVE-2014-0081)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2014/02/18/8", }, { name: "openSUSE-SU-2014:0295", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { name: "57376", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/57376", }, { name: "[rubyonrails-security] 20140218 XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human (CVE-2014-0081)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-02-18T00:00:00", descriptions: [ { lang: "en", value: "Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2015-06-02T14:57:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2014:0215", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { name: "RHSA-2014:0306", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { name: "65647", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/65647", }, { name: "1029782", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1029782", }, { name: "[oss-security] 20140218 XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human (CVE-2014-0081)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2014/02/18/8", }, { name: "openSUSE-SU-2014:0295", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { name: "57376", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/57376", }, { name: "[rubyonrails-security] 20140218 XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human (CVE-2014-0081)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-0081", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2014:0215", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { name: "RHSA-2014:0306", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { name: "65647", refsource: "BID", url: "http://www.securityfocus.com/bid/65647", }, { name: "1029782", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1029782", }, { name: "[oss-security] 20140218 XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human (CVE-2014-0081)", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2014/02/18/8", }, { name: "openSUSE-SU-2014:0295", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { name: "57376", refsource: "SECUNIA", url: "http://secunia.com/advisories/57376", }, { name: "[rubyonrails-security] 20140218 XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human (CVE-2014-0081)", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2014-0081", datePublished: "2014-02-20T11:00:00", dateReserved: "2013-12-03T00:00:00", dateUpdated: "2024-08-06T09:05:38.984Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2007-6077
Vulnerability from cvelistv5
Published
2007-11-21 21:00
Modified
2024-08-07 15:54
Severity ?
EPSS score ?
Summary
The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2007/4238 | vdb-entry, x_refsource_VUPEN | |
| http://www.us-cert.gov/cas/techalerts/TA07-352A.html | third-party-advisory, x_refsource_CERT | |
| http://secunia.com/advisories/28136 | third-party-advisory, x_refsource_SECUNIA | |
| http://secunia.com/advisories/27781 | third-party-advisory, x_refsource_SECUNIA | |
| http://dev.rubyonrails.org/changeset/8177 | x_refsource_CONFIRM | |
| http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html | vendor-advisory, x_refsource_APPLE | |
| http://www.securityfocus.com/bid/26598 | vdb-entry, x_refsource_BID | |
| http://docs.info.apple.com/article.html?artnum=307179 | x_refsource_CONFIRM | |
| http://dev.rubyonrails.org/ticket/10048 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2007/4009 | vdb-entry, x_refsource_VUPEN | |
| http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T15:54:26.389Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "ADV-2007-4238", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2007/4238", }, { name: "TA07-352A", tags: [ "third-party-advisory", "x_refsource_CERT", "x_transferred", ], url: "http://www.us-cert.gov/cas/techalerts/TA07-352A.html", }, { name: "28136", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/28136", }, { name: "27781", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/27781", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://dev.rubyonrails.org/changeset/8177", }, { name: "APPLE-SA-2007-12-17", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html", }, { name: "26598", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/26598", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://docs.info.apple.com/article.html?artnum=307179", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://dev.rubyonrails.org/ticket/10048", }, { name: "ADV-2007-4009", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2007/4009", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2007-11-01T00:00:00", descriptions: [ { lang: "en", value: "The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2007-12-01T10:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "ADV-2007-4238", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2007/4238", }, { name: "TA07-352A", tags: [ "third-party-advisory", "x_refsource_CERT", ], url: "http://www.us-cert.gov/cas/techalerts/TA07-352A.html", }, { name: "28136", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/28136", }, { name: "27781", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/27781", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://dev.rubyonrails.org/changeset/8177", }, { name: "APPLE-SA-2007-12-17", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html", }, { name: "26598", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/26598", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://docs.info.apple.com/article.html?artnum=307179", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://dev.rubyonrails.org/ticket/10048", }, { name: "ADV-2007-4009", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2007/4009", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2007-6077", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "ADV-2007-4238", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2007/4238", }, { name: "TA07-352A", refsource: "CERT", url: "http://www.us-cert.gov/cas/techalerts/TA07-352A.html", }, { name: "28136", refsource: "SECUNIA", url: "http://secunia.com/advisories/28136", }, { name: "27781", refsource: "SECUNIA", url: "http://secunia.com/advisories/27781", }, { name: "http://dev.rubyonrails.org/changeset/8177", refsource: "CONFIRM", url: "http://dev.rubyonrails.org/changeset/8177", }, { name: "APPLE-SA-2007-12-17", refsource: "APPLE", url: "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html", }, { name: "26598", refsource: "BID", url: "http://www.securityfocus.com/bid/26598", }, { name: "http://docs.info.apple.com/article.html?artnum=307179", refsource: "CONFIRM", url: "http://docs.info.apple.com/article.html?artnum=307179", }, { name: "http://dev.rubyonrails.org/ticket/10048", refsource: "CONFIRM", url: "http://dev.rubyonrails.org/ticket/10048", }, { name: "ADV-2007-4009", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2007/4009", }, { name: "http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2007-6077", datePublished: "2007-11-21T21:00:00", dateReserved: "2007-11-21T00:00:00", dateUpdated: "2024-08-07T15:54:26.389Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-7577
Vulnerability from cvelistv5
Published
2016-02-16 02:00
Modified
2024-08-06 07:51
Severity ?
EPSS score ?
Summary
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T07:51:28.528Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "openSUSE-SU-2016:0372", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { name: "openSUSE-SU-2016:0363", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { name: "FEDORA-2016-73fe05d878", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html", }, { name: "FEDORA-2016-cc465a34df", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html", }, { name: "SUSE-SU-2016:1146", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ", }, { name: "1034816", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1034816", }, { name: "81806", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/81806", }, { name: "DSA-3464", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2016/dsa-3464", }, { name: "RHSA-2016:0296", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { name: "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2016/01/25/10", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-01-25T00:00:00", descriptions: [ { lang: "en", value: "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-09-09T09:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "openSUSE-SU-2016:0372", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { name: "openSUSE-SU-2016:0363", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { name: "FEDORA-2016-73fe05d878", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html", }, { name: "FEDORA-2016-cc465a34df", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html", }, { name: "SUSE-SU-2016:1146", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ", }, { name: "1034816", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1034816", }, { name: "81806", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/81806", }, { name: "DSA-3464", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2016/dsa-3464", }, { name: "RHSA-2016:0296", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { name: "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2016/01/25/10", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-7577", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "openSUSE-SU-2016:0372", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { name: "openSUSE-SU-2016:0363", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { name: "FEDORA-2016-73fe05d878", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html", }, { name: "FEDORA-2016-cc465a34df", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html", }, { name: "SUSE-SU-2016:1146", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ", }, { name: "1034816", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1034816", }, { name: "81806", refsource: "BID", url: "http://www.securityfocus.com/bid/81806", }, { name: "DSA-3464", refsource: "DEBIAN", url: "http://www.debian.org/security/2016/dsa-3464", }, { name: "RHSA-2016:0296", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { name: "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2016/01/25/10", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2015-7577", datePublished: "2016-02-16T02:00:00", dateReserved: "2015-09-29T00:00:00", dateUpdated: "2024-08-06T07:51:28.528Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2009-2422
Vulnerability from cvelistv5
Published
2009-07-10 15:00
Modified
2024-08-07 05:52
Severity ?
EPSS score ?
Summary
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/35702 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/35579 | vdb-entry, x_refsource_BID | |
| http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html | vendor-advisory, x_refsource_APPLE | |
| http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2009/1802 | vdb-entry, x_refsource_VUPEN | |
| http://support.apple.com/kb/HT4077 | x_refsource_CONFIRM | |
| http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/51528 | vdb-entry, x_refsource_XF |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T05:52:14.795Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "35702", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/35702", }, { name: "35579", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/35579", }, { name: "APPLE-SA-2010-03-29-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest", }, { name: "ADV-2009-1802", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2009/1802", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://support.apple.com/kb/HT4077", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s", }, { name: "rubyonrails-validatedigest-sec-bypass(51528)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/51528", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2009-06-03T00:00:00", descriptions: [ { lang: "en", value: "The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-08-16T14:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "35702", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/35702", }, { name: "35579", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/35579", }, { name: "APPLE-SA-2010-03-29-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest", }, { name: "ADV-2009-1802", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2009/1802", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://support.apple.com/kb/HT4077", }, { tags: [ "x_refsource_MISC", ], url: "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s", }, { name: "rubyonrails-validatedigest-sec-bypass(51528)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/51528", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2009-2422", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "35702", refsource: "SECUNIA", url: "http://secunia.com/advisories/35702", }, { name: "35579", refsource: "BID", url: "http://www.securityfocus.com/bid/35579", }, { name: "APPLE-SA-2010-03-29-1", refsource: "APPLE", url: "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", }, { name: "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest", }, { name: "ADV-2009-1802", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2009/1802", }, { name: "http://support.apple.com/kb/HT4077", refsource: "CONFIRM", url: "http://support.apple.com/kb/HT4077", }, { name: "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s", refsource: "MISC", url: "http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s", }, { name: "rubyonrails-validatedigest-sec-bypass(51528)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/51528", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2009-2422", datePublished: "2009-07-10T15:00:00", dateReserved: "2009-07-10T00:00:00", dateUpdated: "2024-08-07T05:52:14.795Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-3464
Vulnerability from cvelistv5
Published
2012-08-10 10:00
Modified
2024-08-06 20:05
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.
References
| ▼ | URL | Tags |
|---|---|---|
| http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ | x_refsource_CONFIRM | |
| http://secunia.com/advisories/50694 | third-party-advisory, x_refsource_SECUNIA | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT | |
| https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T20:05:12.658Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { name: "50694", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/50694", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20120810 Potential XSS Vulnerability in Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-08-09T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2013-02-07T10:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { name: "50694", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/50694", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20120810 Potential XSS Vulnerability in Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-3464", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { name: "50694", refsource: "SECUNIA", url: "http://secunia.com/advisories/50694", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20120810 Potential XSS Vulnerability in Ruby on Rails", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-3464", datePublished: "2012-08-10T10:00:00", dateReserved: "2012-06-14T00:00:00", dateUpdated: "2024-08-06T20:05:12.658Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2008-5189
Vulnerability from cvelistv5
Published
2008-11-21 11:00
Modified
2024-08-07 10:40
Severity ?
EPSS score ?
Summary
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
References
| ▼ | URL | Tags |
|---|---|---|
| http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/32359 | vdb-entry, x_refsource_BID | |
| http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html | vendor-advisory, x_refsource_SUSE | |
| http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing | x_refsource_CONFIRM | |
| http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T10:40:17.237Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d", }, { name: "32359", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/32359", }, { name: "SUSE-SR:2008:027", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2008-10-19T00:00:00", descriptions: [ { lang: "en", value: "CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2009-03-03T10:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d", }, { name: "32359", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/32359", }, { name: "SUSE-SR:2008:027", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2008-5189", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d", refsource: "CONFIRM", url: "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d", }, { name: "32359", refsource: "BID", url: "http://www.securityfocus.com/bid/32359", }, { name: "SUSE-SR:2008:027", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { name: "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing", }, { name: "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2008-5189", datePublished: "2008-11-21T11:00:00", dateReserved: "2008-11-20T00:00:00", dateUpdated: "2024-08-07T10:40:17.237Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-1857
Vulnerability from cvelistv5
Published
2013-03-19 22:00
Modified
2024-08-06 15:20
Severity ?
EPSS score ?
Summary
The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html | vendor-advisory, x_refsource_APPLE | |
| http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html | vendor-advisory, x_refsource_SUSE | |
| http://support.apple.com/kb/HT5784 | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2013-0698.html | vendor-advisory, x_refsource_REDHAT | |
| http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html | vendor-advisory, x_refsource_APPLE | |
| http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html | vendor-advisory, x_refsource_SUSE | |
| https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2014-1863.html | vendor-advisory, x_refsource_REDHAT | |
| http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T15:20:35.190Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "APPLE-SA-2013-10-22-5", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { name: "openSUSE-SU-2014:0019", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { name: "openSUSE-SU-2013:0662", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://support.apple.com/kb/HT5784", }, { name: "RHSA-2013:0698", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0698.html", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "openSUSE-SU-2013:0661", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html", }, { name: "[rubyonrails-security] 20130318 [CVE-2013-1857] XSS Vulnerability in the `sanitize` helper of Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source&output=gplain", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-03-18T00:00:00", descriptions: [ { lang: "en", value: "The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-12-09T18:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "APPLE-SA-2013-10-22-5", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { name: "openSUSE-SU-2014:0019", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { name: "openSUSE-SU-2013:0662", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://support.apple.com/kb/HT5784", }, { name: "RHSA-2013:0698", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0698.html", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "openSUSE-SU-2013:0661", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html", }, { name: "[rubyonrails-security] 20130318 [CVE-2013-1857] XSS Vulnerability in the `sanitize` helper of Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source&output=gplain", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2013-1857", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "APPLE-SA-2013-10-22-5", refsource: "APPLE", url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { name: "openSUSE-SU-2014:0019", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { name: "openSUSE-SU-2013:0662", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html", }, { name: "http://support.apple.com/kb/HT5784", refsource: "CONFIRM", url: "http://support.apple.com/kb/HT5784", }, { name: "RHSA-2013:0698", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0698.html", }, { name: "APPLE-SA-2013-06-04-1", refsource: "APPLE", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "openSUSE-SU-2013:0661", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html", }, { name: "[rubyonrails-security] 20130318 [CVE-2013-1857] XSS Vulnerability in the `sanitize` helper of Ruby on Rails", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source&output=gplain", }, { name: "RHSA-2014:1863", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-1857", datePublished: "2013-03-19T22:00:00", dateReserved: "2013-02-19T00:00:00", dateUpdated: "2024-08-06T15:20:35.190Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-2661
Vulnerability from cvelistv5
Published
2012-06-22 14:00
Modified
2024-08-06 19:42
Severity ?
EPSS score ?
Summary
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html | vendor-advisory, x_refsource_SUSE | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T19:42:31.596Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[rubyonrails-security] 20120531 SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2661)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain", }, { name: "SUSE-SU-2012:1012", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "SUSE-SU-2012:1014", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-05-31T00:00:00", descriptions: [ { lang: "en", value: "The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2012-11-06T10:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[rubyonrails-security] 20120531 SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2661)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain", }, { name: "SUSE-SU-2012:1012", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "SUSE-SU-2012:1014", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-2661", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[rubyonrails-security] 20120531 SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2661)", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain", }, { name: "SUSE-SU-2012:1012", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "SUSE-SU-2012:1014", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-2661", datePublished: "2012-06-22T14:00:00", dateReserved: "2012-05-14T00:00:00", dateUpdated: "2024-08-06T19:42:31.596Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-2660
Vulnerability from cvelistv5
Published
2012-06-22 14:00
Modified
2024-08-06 19:42
Severity ?
EPSS score ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html | vendor-advisory, x_refsource_SUSE | |
| https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T19:42:31.885Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "SUSE-SU-2012:1015", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { name: "SUSE-SU-2012:1012", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "openSUSE-SU-2012:0978", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { name: "SUSE-SU-2012:1014", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "[rubyonrails-security] 20120531 Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-05-31T00:00:00", descriptions: [ { lang: "en", value: "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2694.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2012-09-07T09:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "SUSE-SU-2012:1015", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { name: "SUSE-SU-2012:1012", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "openSUSE-SU-2012:0978", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { name: "SUSE-SU-2012:1014", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "[rubyonrails-security] 20120531 Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-2660", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2694.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "SUSE-SU-2012:1015", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { name: "SUSE-SU-2012:1012", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "openSUSE-SU-2012:0978", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { name: "SUSE-SU-2012:1014", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "[rubyonrails-security] 20120531 Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-2660", datePublished: "2012-06-22T14:00:00", dateReserved: "2012-05-14T00:00:00", dateUpdated: "2024-08-06T19:42:31.885Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-2097
Vulnerability from cvelistv5
Published
2016-04-07 23:00
Modified
2024-08-05 23:17
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html | vendor-advisory, x_refsource_SUSE | |
| http://www.debian.org/security/2016/dsa-3509 | vendor-advisory, x_refsource_DEBIAN | |
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ | mailing-list, x_refsource_MLIST | |
| http://www.securitytracker.com/id/1035122 | vdb-entry, x_refsource_SECTRACK | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html | vendor-advisory, x_refsource_SUSE | |
| http://www.securityfocus.com/bid/83726 | vdb-entry, x_refsource_BID | |
| http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html | vendor-advisory, x_refsource_SUSE | |
| http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T23:17:50.576Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "SUSE-SU-2016:0967", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { name: "DSA-3509", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2016/dsa-3509", }, { name: "[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ", }, { name: "1035122", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1035122", }, { name: "SUSE-SU-2016:0854", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { name: "83726", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/83726", }, { name: "openSUSE-SU-2016:0835", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-02-29T00:00:00", descriptions: [ { lang: "en", value: "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2016-11-30T18:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "SUSE-SU-2016:0967", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { name: "DSA-3509", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2016/dsa-3509", }, { name: "[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ", }, { name: "1035122", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1035122", }, { name: "SUSE-SU-2016:0854", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { name: "83726", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/83726", }, { name: "openSUSE-SU-2016:0835", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2016-2097", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "SUSE-SU-2016:0967", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { name: "DSA-3509", refsource: "DEBIAN", url: "http://www.debian.org/security/2016/dsa-3509", }, { name: "[ruby-security-ann] 20160229 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ", }, { name: "1035122", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1035122", }, { name: "SUSE-SU-2016:0854", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { name: "83726", refsource: "BID", url: "http://www.securityfocus.com/bid/83726", }, { name: "openSUSE-SU-2016:0835", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { name: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-2097", datePublished: "2016-04-07T23:00:00", dateReserved: "2016-01-29T00:00:00", dateUpdated: "2024-08-05T23:17:50.576Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2011-2931
Vulnerability from cvelistv5
Published
2011-08-29 18:00
Modified
2024-08-06 23:15
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T23:15:31.957Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[rubyonrails-security] 20110816 XSS Vulnerability in strip_tags helper", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain", }, { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11386", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "FEDORA-2011-11567", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731436", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "DSA-2301", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2011/dsa-2301", }, { name: "45921", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/45921", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "FEDORA-2011-11572", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2011-08-16T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2011-09-23T09:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[rubyonrails-security] 20110816 XSS Vulnerability in strip_tags helper", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain", }, { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11386", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "FEDORA-2011-11567", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731436", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "DSA-2301", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2011/dsa-2301", }, { name: "45921", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/45921", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "FEDORA-2011-11572", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2011-2931", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[rubyonrails-security] 20110816 XSS Vulnerability in strip_tags helper", refsource: "MLIST", url: "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain", }, { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11386", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "FEDORA-2011-11567", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=731436", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=731436", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "DSA-2301", refsource: "DEBIAN", url: "http://www.debian.org/security/2011/dsa-2301", }, { name: "45921", refsource: "SECUNIA", url: "http://secunia.com/advisories/45921", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "FEDORA-2011-11572", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { name: "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a", refsource: "CONFIRM", url: "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { name: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2011-2931", datePublished: "2011-08-29T18:00:00", dateReserved: "2011-07-27T00:00:00", dateUpdated: "2024-08-06T23:15:31.957Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-3463
Vulnerability from cvelistv5
Published
2012-08-10 10:00
Modified
2024-08-06 20:05
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.
References
| ▼ | URL | Tags |
|---|---|---|
| http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ | x_refsource_CONFIRM | |
| https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T20:05:12.614Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { name: "[rubyonrails-security] 20120810 Ruby on Rails Potential XSS Vulnerability in select_tag prompt", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-08-09T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2013-02-07T10:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { name: "[rubyonrails-security] 20120810 Ruby on Rails Potential XSS Vulnerability in select_tag prompt", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-3463", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { name: "[rubyonrails-security] 20120810 Ruby on Rails Potential XSS Vulnerability in select_tag prompt", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-3463", datePublished: "2012-08-10T10:00:00", dateReserved: "2012-06-14T00:00:00", dateUpdated: "2024-08-06T20:05:12.614Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-0082
Vulnerability from cvelistv5
Published
2014-02-20 11:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
Summary
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2014-0215.html | vendor-advisory, x_refsource_REDHAT | |
| http://secunia.com/advisories/57836 | third-party-advisory, x_refsource_SECUNIA | |
| http://rhn.redhat.com/errata/RHSA-2014-0306.html | vendor-advisory, x_refsource_REDHAT | |
| https://puppet.com/security/cve/cve-2014-0082 | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html | vendor-advisory, x_refsource_SUSE | |
| http://secunia.com/advisories/57376 | third-party-advisory, x_refsource_SECUNIA | |
| http://openwall.com/lists/oss-security/2014/02/18/10 | mailing-list, x_refsource_MLIST | |
| http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T09:05:37.065Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[rubyonrails-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ", }, { name: "RHSA-2014:0215", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { name: "57836", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/57836", }, { name: "RHSA-2014:0306", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2014-0082", }, { name: "openSUSE-SU-2014:0295", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { name: "57376", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/57376", }, { name: "[oss-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2014/02/18/10", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-02-18T00:00:00", descriptions: [ { lang: "en", value: "actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[rubyonrails-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ", }, { name: "RHSA-2014:0215", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { name: "57836", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/57836", }, { name: "RHSA-2014:0306", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2014-0082", }, { name: "openSUSE-SU-2014:0295", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { name: "57376", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/57376", }, { name: "[oss-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2014/02/18/10", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-0082", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[rubyonrails-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ", }, { name: "RHSA-2014:0215", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0215.html", }, { name: "57836", refsource: "SECUNIA", url: "http://secunia.com/advisories/57836", }, { name: "RHSA-2014:0306", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0306.html", }, { name: "https://puppet.com/security/cve/cve-2014-0082", refsource: "CONFIRM", url: "https://puppet.com/security/cve/cve-2014-0082", }, { name: "openSUSE-SU-2014:0295", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html", }, { name: "57376", refsource: "SECUNIA", url: "http://secunia.com/advisories/57376", }, { name: "[oss-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2014/02/18/10", }, { name: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", refsource: "CONFIRM", url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2014-0082", datePublished: "2014-02-20T11:00:00", dateReserved: "2013-12-03T00:00:00", dateUpdated: "2024-08-06T09:05:37.065Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-2098
Vulnerability from cvelistv5
Published
2016-04-07 23:00
Modified
2024-08-05 23:17
Severity ?
EPSS score ?
Summary
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T23:17:50.698Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "SUSE-SU-2016:0867", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html", }, { name: "SUSE-SU-2016:0967", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { name: "DSA-3509", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2016/dsa-3509", }, { name: "83725", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/83725", }, { name: "1035122", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1035122", }, { name: "40086", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/40086/", }, { name: "SUSE-SU-2016:0854", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { name: "openSUSE-SU-2016:0790", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html", }, { name: "SUSE-SU-2016:1146", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "openSUSE-SU-2016:0835", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { name: "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-02-29T00:00:00", descriptions: [ { lang: "en", value: "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-09-02T09:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "SUSE-SU-2016:0867", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html", }, { name: "SUSE-SU-2016:0967", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { name: "DSA-3509", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2016/dsa-3509", }, { name: "83725", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/83725", }, { name: "1035122", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1035122", }, { name: "40086", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/40086/", }, { name: "SUSE-SU-2016:0854", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { name: "openSUSE-SU-2016:0790", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html", }, { name: "SUSE-SU-2016:1146", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "openSUSE-SU-2016:0835", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { name: "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2016-2098", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "SUSE-SU-2016:0867", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html", }, { name: "SUSE-SU-2016:0967", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html", }, { name: "DSA-3509", refsource: "DEBIAN", url: "http://www.debian.org/security/2016/dsa-3509", }, { name: "83725", refsource: "BID", url: "http://www.securityfocus.com/bid/83725", }, { name: "1035122", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1035122", }, { name: "40086", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/40086/", }, { name: "SUSE-SU-2016:0854", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html", }, { name: "openSUSE-SU-2016:0790", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html", }, { name: "SUSE-SU-2016:1146", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "openSUSE-SU-2016:0835", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html", }, { name: "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ", }, { name: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-2098", datePublished: "2016-04-07T23:00:00", dateReserved: "2016-01-29T00:00:00", dateUpdated: "2024-08-05T23:17:50.698Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-6496
Vulnerability from cvelistv5
Published
2013-01-04 02:00
Modified
2024-08-06 21:28
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=889649 | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2013-0155.html | vendor-advisory, x_refsource_REDHAT | |
| http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2013-0220.html | vendor-advisory, x_refsource_REDHAT | |
| http://security.gentoo.org/glsa/glsa-201401-22.xml | vendor-advisory, x_refsource_GENTOO | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT | |
| https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/57084 | vdb-entry, x_refsource_BID | |
| http://rhn.redhat.com/errata/RHSA-2013-0544.html | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T21:28:39.807Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=889649", }, { name: "RHSA-2013:0155", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/", }, { name: "RHSA-2013:0220", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0220.html", }, { name: "GLSA-201401-22", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "http://security.gentoo.org/glsa/glsa-201401-22.xml", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20130102 SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain", }, { name: "57084", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/57084", }, { name: "RHSA-2013:0544", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0544.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-12-21T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2016-12-06T18:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=889649", }, { name: "RHSA-2013:0155", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { tags: [ "x_refsource_MISC", ], url: "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/", }, { name: "RHSA-2013:0220", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0220.html", }, { name: "GLSA-201401-22", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "http://security.gentoo.org/glsa/glsa-201401-22.xml", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20130102 SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain", }, { name: "57084", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/57084", }, { name: "RHSA-2013:0544", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0544.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2012-6496", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=889649", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=889649", }, { name: "RHSA-2013:0155", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { name: "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/", refsource: "MISC", url: "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/", }, { name: "RHSA-2013:0220", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0220.html", }, { name: "GLSA-201401-22", refsource: "GENTOO", url: "http://security.gentoo.org/glsa/glsa-201401-22.xml", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20130102 SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain", }, { name: "57084", refsource: "BID", url: "http://www.securityfocus.com/bid/57084", }, { name: "RHSA-2013:0544", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0544.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2012-6496", datePublished: "2013-01-04T02:00:00", dateReserved: "2013-01-03T00:00:00", dateUpdated: "2024-08-06T21:28:39.807Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-7818
Vulnerability from cvelistv5
Published
2014-11-08 11:00
Modified
2024-08-06 13:03
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.
References
| ▼ | URL | Tags |
|---|---|---|
| https://puppet.com/security/cve/cve-2014-7829 | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html | vendor-advisory, x_refsource_SUSE | |
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T13:03:27.154Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2014-7829", }, { name: "openSUSE-SU-2014:1515", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { name: "[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-10-30T00:00:00", descriptions: [ { lang: "en", value: "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2014-7829", }, { name: "openSUSE-SU-2014:1515", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { name: "[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-7818", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://puppet.com/security/cve/cve-2014-7829", refsource: "CONFIRM", url: "https://puppet.com/security/cve/cve-2014-7829", }, { name: "openSUSE-SU-2014:1515", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { name: "[rubyonrails-security] 20141030 Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2014-7818", datePublished: "2014-11-08T11:00:00", dateReserved: "2014-10-03T00:00:00", dateUpdated: "2024-08-06T13:03:27.154Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-6316
Vulnerability from cvelistv5
Published
2016-09-07 19:00
Modified
2024-08-06 01:29
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-1856.html | vendor-advisory, x_refsource_REDHAT | |
| https://puppet.com/security/cve/cve-2016-6316 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/92430 | vdb-entry, x_refsource_BID | |
| http://rhn.redhat.com/errata/RHSA-2016-1855.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.openwall.com/lists/oss-security/2016/08/11/3 | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2016-1858.html | vendor-advisory, x_refsource_REDHAT | |
| http://rhn.redhat.com/errata/RHSA-2016-1857.html | vendor-advisory, x_refsource_REDHAT | |
| http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/ | x_refsource_CONFIRM | |
| https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE | mailing-list, x_refsource_MLIST | |
| http://www.debian.org/security/2016/dsa-3651 | vendor-advisory, x_refsource_DEBIAN |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T01:29:18.216Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:1856", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1856.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2016-6316", }, { name: "92430", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/92430", }, { name: "RHSA-2016:1855", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1855.html", }, { name: "[oss-security] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2016/08/11/3", }, { name: "RHSA-2016:1858", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1858.html", }, { name: "RHSA-2016:1857", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1857.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/", }, { name: "[ruby-security-ann] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE", }, { name: "DSA-3651", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2016/dsa-3651", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-08-11T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as \"HTML safe\" and used as attribute values in tag handlers.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2016:1856", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1856.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2016-6316", }, { name: "92430", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/92430", }, { name: "RHSA-2016:1855", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1855.html", }, { name: "[oss-security] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2016/08/11/3", }, { name: "RHSA-2016:1858", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1858.html", }, { name: "RHSA-2016:1857", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1857.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/", }, { name: "[ruby-security-ann] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE", }, { name: "DSA-3651", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2016/dsa-3651", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2016-6316", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as \"HTML safe\" and used as attribute values in tag handlers.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:1856", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-1856.html", }, { name: "https://puppet.com/security/cve/cve-2016-6316", refsource: "CONFIRM", url: "https://puppet.com/security/cve/cve-2016-6316", }, { name: "92430", refsource: "BID", url: "http://www.securityfocus.com/bid/92430", }, { name: "RHSA-2016:1855", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-1855.html", }, { name: "[oss-security] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2016/08/11/3", }, { name: "RHSA-2016:1858", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-1858.html", }, { name: "RHSA-2016:1857", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-1857.html", }, { name: "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/", }, { name: "[ruby-security-ann] 20160811 [CVE-2016-6316] Possible XSS Vulnerability in Action View", refsource: "MLIST", url: "https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE", }, { name: "DSA-3651", refsource: "DEBIAN", url: "http://www.debian.org/security/2016/dsa-3651", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-6316", datePublished: "2016-09-07T19:00:00", dateReserved: "2016-07-26T00:00:00", dateUpdated: "2024-08-06T01:29:18.216Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-3424
Vulnerability from cvelistv5
Published
2012-08-08 10:00
Modified
2024-08-06 20:05
Severity ?
EPSS score ?
Summary
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/ | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html | vendor-advisory, x_refsource_SUSE | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T20:05:12.401Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[rubyonrails-security] 20120726 Ruby on Rails DoS Vulnerability in authenticate_or_request_with_http_digest (CVE-2012-3424)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-07-26T00:00:00", descriptions: [ { lang: "en", value: "The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2012-11-06T10:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[rubyonrails-security] 20120726 Ruby on Rails DoS Vulnerability in authenticate_or_request_with_http_digest (CVE-2012-3424)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-3424", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[rubyonrails-security] 20120726 Ruby on Rails DoS Vulnerability in authenticate_or_request_with_http_digest (CVE-2012-3424)", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain", }, { name: "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/", }, { name: "openSUSE-SU-2012:1066", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-3424", datePublished: "2012-08-08T10:00:00", dateReserved: "2012-06-14T00:00:00", dateUpdated: "2024-08-06T20:05:12.401Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-7829
Vulnerability from cvelistv5
Published
2014-11-18 23:00
Modified
2024-08-06 13:03
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.
References
| ▼ | URL | Tags |
|---|---|---|
| https://puppet.com/security/cve/cve-2014-7829 | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html | vendor-advisory, x_refsource_SUSE | |
| http://www.securityfocus.com/bid/71183 | vdb-entry, x_refsource_BID | |
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T13:03:26.957Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2014-7829", }, { name: "openSUSE-SU-2014:1515", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { name: "71183", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/71183", }, { name: "[rubyonrails-security] 20141117 [CVE-2014-7829] Arbitrary file existence disclosure in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-11-17T00:00:00", descriptions: [ { lang: "en", value: "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \\ (backslash) character, a similar issue to CVE-2014-7818.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2014-7829", }, { name: "openSUSE-SU-2014:1515", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { name: "71183", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/71183", }, { name: "[rubyonrails-security] 20141117 [CVE-2014-7829] Arbitrary file existence disclosure in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-7829", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \\ (backslash) character, a similar issue to CVE-2014-7818.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://puppet.com/security/cve/cve-2014-7829", refsource: "CONFIRM", url: "https://puppet.com/security/cve/cve-2014-7829", }, { name: "openSUSE-SU-2014:1515", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html", }, { name: "71183", refsource: "BID", url: "http://www.securityfocus.com/bid/71183", }, { name: "[rubyonrails-security] 20141117 [CVE-2014-7829] Arbitrary file existence disclosure in Action Pack", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2014-7829", datePublished: "2014-11-18T23:00:00", dateReserved: "2014-10-03T00:00:00", dateUpdated: "2024-08-06T13:03:26.957Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-6417
Vulnerability from cvelistv5
Published
2013-12-07 00:00
Modified
2024-08-06 17:39
Severity ?
EPSS score ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T17:39:01.423Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2014:0008", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "RHSA-2014:0469", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0469.html", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "RHSA-2013:1794", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2013-6417", }, { name: "DSA-2888", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2014/dsa-2888", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-12-03T00:00:00", descriptions: [ { lang: "en", value: "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2014:0008", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "RHSA-2014:0469", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0469.html", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "RHSA-2013:1794", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2013-6417", }, { name: "DSA-2888", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2014/dsa-2888", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2013-6417", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2014:0008", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "RHSA-2014:0469", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0469.html", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ", }, { name: "openSUSE-SU-2014:0009", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1907", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "openSUSE-SU-2013:1904", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { name: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "RHSA-2013:1794", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { name: "https://puppet.com/security/cve/cve-2013-6417", refsource: "CONFIRM", url: "https://puppet.com/security/cve/cve-2013-6417", }, { name: "DSA-2888", refsource: "DEBIAN", url: "http://www.debian.org/security/2014/dsa-2888", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-6417", datePublished: "2013-12-07T00:00:00", dateReserved: "2013-11-04T00:00:00", dateUpdated: "2024-08-06T17:39:01.423Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-2694
Vulnerability from cvelistv5
Published
2012-06-22 14:00
Modified
2024-08-06 19:42
Severity ?
EPSS score ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html | vendor-advisory, x_refsource_SUSE | |
| https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T19:42:31.516Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "SUSE-SU-2012:1015", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { name: "SUSE-SU-2012:1012", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "openSUSE-SU-2012:0978", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { name: "SUSE-SU-2012:1014", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "[rubyonrails-security] 20120612 Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-06-12T00:00:00", descriptions: [ { lang: "en", value: "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"['xyz', nil]\" values, a related issue to CVE-2012-2660.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2012-09-07T09:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "SUSE-SU-2012:1015", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { name: "SUSE-SU-2012:1012", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "openSUSE-SU-2012:0978", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { name: "SUSE-SU-2012:1014", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "[rubyonrails-security] 20120612 Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-2694", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"['xyz', nil]\" values, a related issue to CVE-2012-2660.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "SUSE-SU-2012:1015", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html", }, { name: "SUSE-SU-2012:1012", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "openSUSE-SU-2012:0978", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { name: "SUSE-SU-2012:1014", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "[rubyonrails-security] 20120612 Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-2694", datePublished: "2012-06-22T14:00:00", dateReserved: "2012-05-14T00:00:00", dateUpdated: "2024-08-06T19:42:31.516Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2011-4319
Vulnerability from cvelistv5
Published
2011-11-28 11:00
Modified
2024-08-07 00:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/77199 | vdb-entry, x_refsource_OSVDB | |
| http://openwall.com/lists/oss-security/2011/11/18/8 | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released | x_refsource_CONFIRM | |
| http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1 | x_refsource_CONFIRM | |
| http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id?1026342 | vdb-entry, x_refsource_SECTRACK | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/71364 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/50722 | vdb-entry, x_refsource_BID |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T00:01:51.607Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "77199", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://osvdb.org/77199", }, { name: "[oss-security] 20111118 Re: CVE Request -- Ruby on Rails / rubygem-actionpack -- XSS in the 'translate' helper method", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2011/11/18/8", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1", }, { name: "[rubyonrails-security] 20111118 XSS vulnerability in the translate helper method in Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released", }, { name: "1026342", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id?1026342", }, { name: "rubyonrails-translatehelper-xss(71364)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364", }, { name: "50722", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/50722", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2011-11-18T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an \"html\" substring.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-08-28T12:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "77199", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://osvdb.org/77199", }, { name: "[oss-security] 20111118 Re: CVE Request -- Ruby on Rails / rubygem-actionpack -- XSS in the 'translate' helper method", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2011/11/18/8", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1", }, { name: "[rubyonrails-security] 20111118 XSS vulnerability in the translate helper method in Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released", }, { name: "1026342", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id?1026342", }, { name: "rubyonrails-translatehelper-xss(71364)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364", }, { name: "50722", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/50722", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2011-4319", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an \"html\" substring.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "77199", refsource: "OSVDB", url: "http://osvdb.org/77199", }, { name: "[oss-security] 20111118 Re: CVE Request -- Ruby on Rails / rubygem-actionpack -- XSS in the 'translate' helper method", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2011/11/18/8", }, { name: "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released", }, { name: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1", refsource: "CONFIRM", url: "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1", }, { name: "[rubyonrails-security] 20111118 XSS vulnerability in the translate helper method in Ruby on Rails", refsource: "MLIST", url: "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain", }, { name: "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released", }, { name: "1026342", refsource: "SECTRACK", url: "http://www.securitytracker.com/id?1026342", }, { name: "rubyonrails-translatehelper-xss(71364)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364", }, { name: "50722", refsource: "BID", url: "http://www.securityfocus.com/bid/50722", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2011-4319", datePublished: "2011-11-28T11:00:00", dateReserved: "2011-11-04T00:00:00", dateUpdated: "2024-08-07T00:01:51.607Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-3221
Vulnerability from cvelistv5
Published
2013-04-22 01:00
Modified
2024-08-06 16:00
Severity ?
EPSS score ?
Summary
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.
References
| ▼ | URL | Tags |
|---|---|---|
| http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/ | x_refsource_MISC | |
| https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://www.phenoelit.org/blog/archives/2013/02/index.html | x_refsource_MISC | |
| http://openwall.com/lists/oss-security/2013/04/24/7 | mailing-list, x_refsource_MLIST | |
| https://gist.github.com/dakull/5442275 | x_refsource_CONFIRM | |
| http://openwall.com/lists/oss-security/2013/02/06/7 | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T16:00:10.162Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/", }, { name: "[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.phenoelit.org/blog/archives/2013/02/index.html", }, { name: "[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2013/04/24/7", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://gist.github.com/dakull/5442275", }, { name: "[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2013/02/06/7", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-02-05T00:00:00", descriptions: [ { lang: "en", value: "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2013-04-25T09:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/", }, { name: "[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain", }, { tags: [ "x_refsource_MISC", ], url: "http://www.phenoelit.org/blog/archives/2013/02/index.html", }, { name: "[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2013/04/24/7", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://gist.github.com/dakull/5442275", }, { name: "[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2013/02/06/7", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2013-3221", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/", refsource: "MISC", url: "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/", }, { name: "[rubyonrails-security] 20130207 Potential Query Manipulation with Common Rails Practises", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain", }, { name: "http://www.phenoelit.org/blog/archives/2013/02/index.html", refsource: "MISC", url: "http://www.phenoelit.org/blog/archives/2013/02/index.html", }, { name: "[oss-security] 20130424 CVE-2013-3221 can also relate to Microsoft SQL Server and IBM DB2", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2013/04/24/7", }, { name: "https://gist.github.com/dakull/5442275", refsource: "CONFIRM", url: "https://gist.github.com/dakull/5442275", }, { name: "[oss-security] 20130207 Potential Query Manipulation with Common Rails Practises", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2013/02/06/7", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2013-3221", datePublished: "2013-04-22T01:00:00", dateReserved: "2013-04-21T00:00:00", dateUpdated: "2024-08-06T16:00:10.162Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-1099
Vulnerability from cvelistv5
Published
2012-03-13 10:00
Modified
2024-08-06 18:45
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2012/03/03/1 | mailing-list, x_refsource_MLIST | |
| http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html | vendor-advisory, x_refsource_FEDORA | |
| https://bugzilla.redhat.com/show_bug.cgi?id=799276 | x_refsource_CONFIRM | |
| http://www.debian.org/security/2012/dsa-2466 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.openwall.com/lists/oss-security/2012/03/02/6 | mailing-list, x_refsource_MLIST | |
| http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T18:45:27.487Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "FEDORA-2012-3321", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { name: "[oss-security] 20120302 Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { name: "FEDORA-2012-3355", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=799276", }, { name: "DSA-2466", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2012/dsa-2466", }, { name: "[oss-security] 20120302 CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { name: "[rubyonrails-security] 20120301 XSS Vulnerability in the select helper", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-03-01T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-17T19:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "FEDORA-2012-3321", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { name: "[oss-security] 20120302 Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { name: "FEDORA-2012-3355", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=799276", }, { name: "DSA-2466", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2012/dsa-2466", }, { name: "[oss-security] 20120302 CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { name: "[rubyonrails-security] 20120301 XSS Vulnerability in the select helper", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-1099", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "FEDORA-2012-3321", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { name: "[oss-security] 20120302 Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { name: "FEDORA-2012-3355", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=799276", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=799276", }, { name: "DSA-2466", refsource: "DEBIAN", url: "http://www.debian.org/security/2012/dsa-2466", }, { name: "[oss-security] 20120302 CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { name: "[rubyonrails-security] 20120301 XSS Vulnerability in the select helper", refsource: "MLIST", url: "http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain", }, { name: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-1099", datePublished: "2012-03-13T10:00:00", dateReserved: "2012-02-14T00:00:00", dateUpdated: "2024-08-06T18:45:27.487Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-2695
Vulnerability from cvelistv5
Published
2012-06-22 14:00
Modified
2024-08-06 19:42
Severity ?
EPSS score ?
Summary
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html | vendor-advisory, x_refsource_SUSE | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT | |
| https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T19:42:31.701Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "SUSE-SU-2012:1012", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "openSUSE-SU-2012:0978", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { name: "SUSE-SU-2012:1014", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20120612 Ruby on Rails SQL Injection (CVE-2012-2695)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-06-12T00:00:00", descriptions: [ { lang: "en", value: "The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2012-09-07T09:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "SUSE-SU-2012:1012", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "openSUSE-SU-2012:0978", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { name: "SUSE-SU-2012:1014", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20120612 Ruby on Rails SQL Injection (CVE-2012-2695)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-2695", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "SUSE-SU-2012:1012", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", }, { name: "openSUSE-SU-2012:0978", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", }, { name: "SUSE-SU-2012:1014", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", }, { name: "openSUSE-SU-2012:1066", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20120612 Ruby on Rails SQL Injection (CVE-2012-2695)", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-2695", datePublished: "2012-06-22T14:00:00", dateReserved: "2012-05-14T00:00:00", dateUpdated: "2024-08-06T19:42:31.701Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-0156
Vulnerability from cvelistv5
Published
2013-01-13 22:00
Modified
2024-08-06 14:18
Severity ?
EPSS score ?
Summary
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T14:18:09.436Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[rubyonrails-security] 20130108 Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.insinuator.net/2013/01/rails-yaml/", }, { name: "RHSA-2013:0155", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { name: "VU#628463", tags: [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred", ], url: "http://www.kb.cert.org/vuls/id/628463", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html", }, { name: "VU#380039", tags: [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred", ], url: "http://www.kb.cert.org/vuls/id/380039", }, { name: "APPLE-SA-2013-03-14-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html", }, { name: "DSA-2604", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2013/dsa-2604", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2013-0156", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/", }, { name: "RHSA-2013:0153", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0153.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-01-08T00:00:00", descriptions: [ { lang: "en", value: "active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[rubyonrails-security] 20130108 Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain", }, { tags: [ "x_refsource_MISC", ], url: "http://www.insinuator.net/2013/01/rails-yaml/", }, { name: "RHSA-2013:0155", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { name: "VU#628463", tags: [ "third-party-advisory", "x_refsource_CERT-VN", ], url: "http://www.kb.cert.org/vuls/id/628463", }, { tags: [ "x_refsource_MISC", ], url: "https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html", }, { name: "VU#380039", tags: [ "third-party-advisory", "x_refsource_CERT-VN", ], url: "http://www.kb.cert.org/vuls/id/380039", }, { name: "APPLE-SA-2013-03-14-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html", }, { name: "DSA-2604", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2013/dsa-2604", }, { tags: [ "x_refsource_MISC", ], url: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2013-0156", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/", }, { name: "RHSA-2013:0153", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0153.html", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-0156", datePublished: "2013-01-13T22:00:00", dateReserved: "2012-12-06T00:00:00", dateUpdated: "2024-08-06T14:18:09.436Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-6415
Vulnerability from cvelistv5
Published
2013-12-07 00:00
Modified
2024-08-06 17:39
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T17:39:01.258Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2014:0008", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2013-6415", }, { name: "openSUSE-SU-2014:0019", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1905", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-6415] XSS Vulnerability in number_to_currency", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "RHSA-2013:1794", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { name: "64077", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/64077", }, { name: "56093", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/56093", }, { name: "DSA-2888", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2014/dsa-2888", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-12-03T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2014:0008", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2013-6415", }, { name: "openSUSE-SU-2014:0019", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1905", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-6415] XSS Vulnerability in number_to_currency", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "RHSA-2013:1794", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { name: "64077", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/64077", }, { name: "56093", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/56093", }, { name: "DSA-2888", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2014/dsa-2888", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2013-6415", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2014:0008", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "https://puppet.com/security/cve/cve-2013-6415", refsource: "CONFIRM", url: "https://puppet.com/security/cve/cve-2013-6415", }, { name: "openSUSE-SU-2014:0019", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { name: "openSUSE-SU-2014:0009", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1905", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html", }, { name: "openSUSE-SU-2013:1907", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "openSUSE-SU-2013:1904", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-6415] XSS Vulnerability in number_to_currency", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ", }, { name: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "RHSA-2014:1863", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "RHSA-2013:1794", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { name: "64077", refsource: "BID", url: "http://www.securityfocus.com/bid/64077", }, { name: "56093", refsource: "SECUNIA", url: "http://secunia.com/advisories/56093", }, { name: "DSA-2888", refsource: "DEBIAN", url: "http://www.debian.org/security/2014/dsa-2888", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-6415", datePublished: "2013-12-07T00:00:00", dateReserved: "2013-11-04T00:00:00", dateUpdated: "2024-08-06T17:39:01.258Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-1098
Vulnerability from cvelistv5
Published
2012-03-13 10:00
Modified
2024-08-06 18:45
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2012/03/03/1 | mailing-list, x_refsource_MLIST | |
| https://bugzilla.redhat.com/show_bug.cgi?id=799275 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2012/03/02/6 | mailing-list, x_refsource_MLIST | |
| http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T18:45:27.165Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "FEDORA-2012-3321", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { name: "[oss-security] 20120302 Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=799275", }, { name: "[oss-security] 20120302 CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { name: "[rubyonrails-security] 20120301 Possible XSS Security Vulnerability in SafeBuffer#[]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-03-01T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-09T17:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "FEDORA-2012-3321", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { name: "[oss-security] 20120302 Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=799275", }, { name: "[oss-security] 20120302 CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { name: "[rubyonrails-security] 20120301 Possible XSS Security Vulnerability in SafeBuffer#[]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-1098", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "FEDORA-2012-3321", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html", }, { name: "[oss-security] 20120302 Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2012/03/03/1", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=799275", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=799275", }, { name: "[oss-security] 20120302 CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2012/03/02/6", }, { name: "[rubyonrails-security] 20120301 Possible XSS Security Vulnerability in SafeBuffer#[]", refsource: "MLIST", url: "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain", }, { name: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-1098", datePublished: "2012-03-13T10:00:00", dateReserved: "2012-02-14T00:00:00", dateUpdated: "2024-08-06T18:45:27.165Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2011-2197
Vulnerability from cvelistv5
Published
2011-06-30 15:26
Modified
2024-08-06 22:53
Severity ?
EPSS score ?
Summary
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
References
| ▼ | URL | Tags |
|---|---|---|
| http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html | vendor-advisory, x_refsource_FEDORA | |
| http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications | x_refsource_CONFIRM | |
| http://secunia.com/advisories/44789 | third-party-advisory, x_refsource_SECUNIA | |
| http://openwall.com/lists/oss-security/2011/06/09/2 | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2011/06/13/9 | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T22:53:17.178Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[rubyonrails-security] 20110607 Potential XSS Vulnerability in Ruby on Rails Applications", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain", }, { name: "FEDORA-2011-8494", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html", }, { name: "FEDORA-2011-8580", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications", }, { name: "44789", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/44789", }, { name: "[oss-security] 20110609 CVE Request: Ruby on Rails 3/rails_xss XSS", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2011/06/09/2", }, { name: "[oss-security] 20110613 Re: CVE Request: Ruby on Rails 3/rails_xss XSS", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2011/06/13/9", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2011-06-07T00:00:00", descriptions: [ { lang: "en", value: "The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2011-09-07T09:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[rubyonrails-security] 20110607 Potential XSS Vulnerability in Ruby on Rails Applications", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain", }, { name: "FEDORA-2011-8494", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html", }, { name: "FEDORA-2011-8580", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications", }, { name: "44789", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/44789", }, { name: "[oss-security] 20110609 CVE Request: Ruby on Rails 3/rails_xss XSS", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2011/06/09/2", }, { name: "[oss-security] 20110613 Re: CVE Request: Ruby on Rails 3/rails_xss XSS", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2011/06/13/9", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2011-2197", datePublished: "2011-06-30T15:26:00", dateReserved: "2011-05-31T00:00:00", dateUpdated: "2024-08-06T22:53:17.178Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2011-2929
Vulnerability from cvelistv5
Published
2011-08-29 18:00
Modified
2024-08-06 23:15
Severity ?
EPSS score ?
Summary
The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability."
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T23:15:32.016Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11386", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "FEDORA-2011-11572", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { name: "[rubyonrails-security] 20110816 Filter Skipping Vulnerability in Ruby on Rails 3.0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731432", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2011-08-16T00:00:00", descriptions: [ { lang: "en", value: "The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a \"filter skipping vulnerability.\"", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2011-09-23T09:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11386", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "FEDORA-2011-11572", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { name: "[rubyonrails-security] 20110816 Filter Skipping Vulnerability in Ruby on Rails 3.0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731432", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2011-2929", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a \"filter skipping vulnerability.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11386", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "FEDORA-2011-11572", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html", }, { name: "https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552", refsource: "CONFIRM", url: "https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { name: "[rubyonrails-security] 20110816 Filter Skipping Vulnerability in Ruby on Rails 3.0", refsource: "MLIST", url: "http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { name: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=731432", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=731432", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2011-2929", datePublished: "2011-08-29T18:00:00", dateReserved: "2011-07-27T00:00:00", dateUpdated: "2024-08-06T23:15:32.016Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-1855
Vulnerability from cvelistv5
Published
2013-03-19 22:00
Modified
2024-08-06 15:20
Severity ?
EPSS score ?
Summary
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html | vendor-advisory, x_refsource_APPLE | |
| https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html | vendor-advisory, x_refsource_SUSE | |
| http://support.apple.com/kb/HT5784 | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2013-0698.html | vendor-advisory, x_refsource_REDHAT | |
| http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html | vendor-advisory, x_refsource_APPLE | |
| http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html | vendor-advisory, x_refsource_SUSE | |
| http://rhn.redhat.com/errata/RHSA-2014-1863.html | vendor-advisory, x_refsource_REDHAT | |
| http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T15:20:35.175Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "APPLE-SA-2013-10-22-5", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { name: "[rubyonrails-security] 20130318 [CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain", }, { name: "openSUSE-SU-2014:0019", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { name: "openSUSE-SU-2013:0662", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://support.apple.com/kb/HT5784", }, { name: "RHSA-2013:0698", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0698.html", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "openSUSE-SU-2013:0661", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-03-18T00:00:00", descriptions: [ { lang: "en", value: "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-12-09T18:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "APPLE-SA-2013-10-22-5", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { name: "[rubyonrails-security] 20130318 [CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain", }, { name: "openSUSE-SU-2014:0019", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html", }, { name: "openSUSE-SU-2013:0662", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://support.apple.com/kb/HT5784", }, { name: "RHSA-2013:0698", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0698.html", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "openSUSE-SU-2013:0661", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-1855", datePublished: "2013-03-19T22:00:00", dateReserved: "2013-02-19T00:00:00", dateUpdated: "2024-08-06T15:20:35.175Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-7576
Vulnerability from cvelistv5
Published
2016-02-16 02:00
Modified
2024-08-06 07:51
Severity ?
EPSS score ?
Summary
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T07:51:28.554Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2016/01/25/8", }, { name: "FEDORA-2016-3ede04cd79", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html", }, { name: "openSUSE-SU-2016:0372", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { name: "openSUSE-SU-2016:0363", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { name: "FEDORA-2016-94e71ee673", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { name: "81803", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/81803", }, { name: "FEDORA-2016-f486068393", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { name: "SUSE-SU-2016:1146", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "1034816", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1034816", }, { name: "DSA-3464", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2016/dsa-3464", }, { name: "RHSA-2016:0296", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { name: "FEDORA-2016-cb30088b06", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html", }, { name: "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-01-25T00:00:00", descriptions: [ { lang: "en", value: "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-09-09T09:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2016/01/25/8", }, { name: "FEDORA-2016-3ede04cd79", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html", }, { name: "openSUSE-SU-2016:0372", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { name: "openSUSE-SU-2016:0363", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { name: "FEDORA-2016-94e71ee673", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { name: "81803", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/81803", }, { name: "FEDORA-2016-f486068393", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { name: "SUSE-SU-2016:1146", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "1034816", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1034816", }, { name: "DSA-3464", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2016/dsa-3464", }, { name: "RHSA-2016:0296", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { name: "FEDORA-2016-cb30088b06", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html", }, { name: "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-7576", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2016/01/25/8", }, { name: "FEDORA-2016-3ede04cd79", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html", }, { name: "openSUSE-SU-2016:0372", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { name: "openSUSE-SU-2016:0363", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { name: "FEDORA-2016-94e71ee673", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { name: "81803", refsource: "BID", url: "http://www.securityfocus.com/bid/81803", }, { name: "FEDORA-2016-f486068393", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { name: "SUSE-SU-2016:1146", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "1034816", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1034816", }, { name: "DSA-3464", refsource: "DEBIAN", url: "http://www.debian.org/security/2016/dsa-3464", }, { name: "RHSA-2016:0296", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, { name: "FEDORA-2016-cb30088b06", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html", }, { name: "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2015-7576", datePublished: "2016-02-16T02:00:00", dateReserved: "2015-09-29T00:00:00", dateUpdated: "2024-08-06T07:51:28.554Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-3482
Vulnerability from cvelistv5
Published
2014-07-07 10:00
Modified
2024-08-06 10:43
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/68343 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/59973 | third-party-advisory, x_refsource_SECUNIA | |
| http://openwall.com/lists/oss-security/2014/07/02/5 | mailing-list, x_refsource_MLIST | |
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/60214 | third-party-advisory, x_refsource_SECUNIA | |
| http://secunia.com/advisories/60763 | third-party-advisory, x_refsource_SECUNIA | |
| http://rhn.redhat.com/errata/RHSA-2014-0876.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.debian.org/security/2014/dsa-2982 | vendor-advisory, x_refsource_DEBIAN |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T10:43:06.174Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "68343", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/68343", }, { name: "59973", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59973", }, { name: "[oss-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2014/07/02/5", }, { name: "[rubyonrails-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J", }, { name: "60214", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/60214", }, { name: "60763", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/60763", }, { name: "RHSA-2014:0876", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0876.html", }, { name: "DSA-2982", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2014/dsa-2982", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-07-02T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-01-04T17:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "68343", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/68343", }, { name: "59973", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59973", }, { name: "[oss-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2014/07/02/5", }, { name: "[rubyonrails-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J", }, { name: "60214", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/60214", }, { name: "60763", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/60763", }, { name: "RHSA-2014:0876", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0876.html", }, { name: "DSA-2982", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2014/dsa-2982", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-3482", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "68343", refsource: "BID", url: "http://www.securityfocus.com/bid/68343", }, { name: "59973", refsource: "SECUNIA", url: "http://secunia.com/advisories/59973", }, { name: "[oss-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2014/07/02/5", }, { name: "[rubyonrails-security] 20140702 [CVE-2014-3482] [CVE-2014-3483] Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J", }, { name: "60214", refsource: "SECUNIA", url: "http://secunia.com/advisories/60214", }, { name: "60763", refsource: "SECUNIA", url: "http://secunia.com/advisories/60763", }, { name: "RHSA-2014:0876", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0876.html", }, { name: "DSA-2982", refsource: "DEBIAN", url: "http://www.debian.org/security/2014/dsa-2982", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2014-3482", datePublished: "2014-07-07T10:00:00", dateReserved: "2014-05-14T00:00:00", dateUpdated: "2024-08-06T10:43:06.174Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2008-4094
Vulnerability from cvelistv5
Published
2008-09-30 17:00
Modified
2024-08-07 10:00
Severity ?
EPSS score ?
Summary
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T10:00:42.864Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://gist.github.com/8946", }, { name: "rubyonrails-activerecord-sql-injection(45109)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109", }, { name: "[oss-security] 20080913 CVE request: Ruby on Rails <2.1.1 :limit and :offset SQL injection", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2008/09/13/2", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://rails.lighthouseapp.com/projects/8994/tickets/964", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://rails.lighthouseapp.com/projects/8994/tickets/288", }, { name: "31875", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/31875", }, { name: "SUSE-SR:2008:027", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { name: "31910", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/31910", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1", }, { name: "1020871", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id?1020871", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/", }, { name: "[oss-security] 20080915 Re: CVE request: Ruby on Rails <2.1.1 :limit and :offset SQL injection", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2008/09/16/1", }, { name: "31176", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/31176", }, { name: "31909", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/31909", }, { name: "ADV-2008-2562", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2008/2562", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2008-09-15T00:00:00", descriptions: [ { lang: "en", value: "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-08-07T12:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://gist.github.com/8946", }, { name: "rubyonrails-activerecord-sql-injection(45109)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109", }, { name: "[oss-security] 20080913 CVE request: Ruby on Rails <2.1.1 :limit and :offset SQL injection", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2008/09/13/2", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://rails.lighthouseapp.com/projects/8994/tickets/964", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://rails.lighthouseapp.com/projects/8994/tickets/288", }, { name: "31875", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/31875", }, { name: "SUSE-SR:2008:027", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { name: "31910", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/31910", }, { tags: [ "x_refsource_MISC", ], url: "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1", }, { name: "1020871", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id?1020871", }, { tags: [ "x_refsource_MISC", ], url: "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/", }, { name: "[oss-security] 20080915 Re: CVE request: Ruby on Rails <2.1.1 :limit and :offset SQL injection", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2008/09/16/1", }, { name: "31176", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/31176", }, { name: "31909", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/31909", }, { name: "ADV-2008-2562", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2008/2562", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2008-4094", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://gist.github.com/8946", refsource: "CONFIRM", url: "http://gist.github.com/8946", }, { name: "rubyonrails-activerecord-sql-injection(45109)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109", }, { name: "[oss-security] 20080913 CVE request: Ruby on Rails <2.1.1 :limit and :offset SQL injection", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2008/09/13/2", }, { name: "http://rails.lighthouseapp.com/projects/8994/tickets/964", refsource: "CONFIRM", url: "http://rails.lighthouseapp.com/projects/8994/tickets/964", }, { name: "http://rails.lighthouseapp.com/projects/8994/tickets/288", refsource: "CONFIRM", url: "http://rails.lighthouseapp.com/projects/8994/tickets/288", }, { name: "31875", refsource: "SECUNIA", url: "http://secunia.com/advisories/31875", }, { name: "SUSE-SR:2008:027", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html", }, { name: "31910", refsource: "SECUNIA", url: "http://secunia.com/advisories/31910", }, { name: "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1", refsource: "MISC", url: "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1", }, { name: "1020871", refsource: "SECTRACK", url: "http://www.securitytracker.com/id?1020871", }, { name: "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/", refsource: "MISC", url: "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/", }, { name: "[oss-security] 20080915 Re: CVE request: Ruby on Rails <2.1.1 :limit and :offset SQL injection", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2008/09/16/1", }, { name: "31176", refsource: "BID", url: "http://www.securityfocus.com/bid/31176", }, { name: "31909", refsource: "SECUNIA", url: "http://secunia.com/advisories/31909", }, { name: "ADV-2008-2562", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2008/2562", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2008-4094", datePublished: "2008-09-30T17:00:00", dateReserved: "2008-09-15T00:00:00", dateUpdated: "2024-08-07T10:00:42.864Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2006-4111
Vulnerability from cvelistv5
Published
2006-08-14 21:00
Modified
2024-08-07 18:57
Severity ?
EPSS score ?
Summary
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/21466 | third-party-advisory, x_refsource_SECUNIA | |
| http://secunia.com/advisories/21749 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/19454 | vdb-entry, x_refsource_BID | |
| http://www.vupen.com/english/advisories/2006/3237 | vdb-entry, x_refsource_VUPEN | |
| http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html | x_refsource_MISC | |
| http://www.novell.com/linux/security/advisories/2006_21_sr.html | vendor-advisory, x_refsource_SUSE | |
| http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits | x_refsource_CONFIRM | |
| http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml | vendor-advisory, x_refsource_GENTOO | |
| http://securitytracker.com/id?1016673 | vdb-entry, x_refsource_SECTRACK |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T18:57:45.989Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "21466", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/21466", }, { name: "21749", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/21749", }, { name: "19454", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/19454", }, { name: "ADV-2006-3237", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2006/3237", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html", }, { name: "SUSE-SR:2006:021", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://www.novell.com/linux/security/advisories/2006_21_sr.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits", }, { name: "GLSA-200608-20", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml", }, { name: "1016673", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://securitytracker.com/id?1016673", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2006-08-09T00:00:00", descriptions: [ { lang: "en", value: "Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with \"severe\" or \"serious\" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2006-08-23T09:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "21466", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/21466", }, { name: "21749", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/21749", }, { name: "19454", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/19454", }, { name: "ADV-2006-3237", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2006/3237", }, { tags: [ "x_refsource_MISC", ], url: "http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html", }, { name: "SUSE-SR:2006:021", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://www.novell.com/linux/security/advisories/2006_21_sr.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits", }, { name: "GLSA-200608-20", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml", }, { name: "1016673", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://securitytracker.com/id?1016673", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2006-4111", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with \"severe\" or \"serious\" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "21466", refsource: "SECUNIA", url: "http://secunia.com/advisories/21466", }, { name: "21749", refsource: "SECUNIA", url: "http://secunia.com/advisories/21749", }, { name: "19454", refsource: "BID", url: "http://www.securityfocus.com/bid/19454", }, { name: "ADV-2006-3237", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2006/3237", }, { name: "http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html", refsource: "MISC", url: "http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html", }, { name: "SUSE-SR:2006:021", refsource: "SUSE", url: "http://www.novell.com/linux/security/advisories/2006_21_sr.html", }, { name: "http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits", }, { name: "GLSA-200608-20", refsource: "GENTOO", url: "http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml", }, { name: "1016673", refsource: "SECTRACK", url: "http://securitytracker.com/id?1016673", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2006-4111", datePublished: "2006-08-14T21:00:00", dateReserved: "2006-08-14T00:00:00", dateUpdated: "2024-08-07T18:57:45.989Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-0155
Vulnerability from cvelistv5
Published
2013-01-13 22:00
Modified
2024-08-06 14:18
Severity ?
EPSS score ?
Summary
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T14:18:09.462Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "RHSA-2013:0155", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { name: "DSA-2609", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2013/dsa-2609", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2013-0155", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://support.apple.com/kb/HT5784", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20130108 Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-01-08T00:00:00", descriptions: [ { lang: "en", value: "Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2660 and CVE-2012-2694.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "RHSA-2013:0155", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { name: "DSA-2609", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2013/dsa-2609", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2013-0155", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://support.apple.com/kb/HT5784", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { tags: [ "x_refsource_MISC", ], url: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20130108 Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2013-0155", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2660 and CVE-2012-2694.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "openSUSE-SU-2013:1906", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "RHSA-2013:0155", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0155.html", }, { name: "DSA-2609", refsource: "DEBIAN", url: "http://www.debian.org/security/2013/dsa-2609", }, { name: "openSUSE-SU-2014:0009", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "https://puppet.com/security/cve/cve-2013-0155", refsource: "CONFIRM", url: "https://puppet.com/security/cve/cve-2013-0155", }, { name: "openSUSE-SU-2013:1907", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "http://support.apple.com/kb/HT5784", refsource: "CONFIRM", url: "http://support.apple.com/kb/HT5784", }, { name: "APPLE-SA-2013-06-04-1", refsource: "APPLE", url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "openSUSE-SU-2013:1904", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { name: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", refsource: "MISC", url: "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20130108 Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-0155", datePublished: "2013-01-13T22:00:00", dateReserved: "2012-12-06T00:00:00", dateUpdated: "2024-08-06T14:18:09.462Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-0751
Vulnerability from cvelistv5
Published
2016-02-16 02:00
Modified
2024-08-05 22:30
Severity ?
EPSS score ?
Summary
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T22:30:03.975Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "openSUSE-SU-2016:0372", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { name: "openSUSE-SU-2016:0363", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { name: "FEDORA-2016-94e71ee673", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { name: "[ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ", }, { name: "FEDORA-2016-f486068393", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { name: "SUSE-SU-2016:1146", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "81800", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/81800", }, { name: "1034816", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1034816", }, { name: "[oss-security] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2016/01/25/9", }, { name: "DSA-3464", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2016/dsa-3464", }, { name: "RHSA-2016:0296", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-01-25T00:00:00", descriptions: [ { lang: "en", value: "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-09-09T09:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "openSUSE-SU-2016:0372", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { name: "openSUSE-SU-2016:0363", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { name: "FEDORA-2016-94e71ee673", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { name: "[ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ", }, { name: "FEDORA-2016-f486068393", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { name: "SUSE-SU-2016:1146", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "81800", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/81800", }, { name: "1034816", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1034816", }, { name: "[oss-security] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2016/01/25/9", }, { name: "DSA-3464", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2016/dsa-3464", }, { name: "RHSA-2016:0296", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2016-0751", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "openSUSE-SU-2016:0372", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html", }, { name: "openSUSE-SU-2016:0363", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html", }, { name: "FEDORA-2016-94e71ee673", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html", }, { name: "[ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ", }, { name: "FEDORA-2016-f486068393", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html", }, { name: "SUSE-SU-2016:1146", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html", }, { name: "81800", refsource: "BID", url: "http://www.securityfocus.com/bid/81800", }, { name: "1034816", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1034816", }, { name: "[oss-security] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2016/01/25/9", }, { name: "DSA-3464", refsource: "DEBIAN", url: "http://www.debian.org/security/2016/dsa-3464", }, { name: "RHSA-2016:0296", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-0296.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-0751", datePublished: "2016-02-16T02:00:00", dateReserved: "2015-12-16T00:00:00", dateUpdated: "2024-08-05T22:30:03.975Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-4491
Vulnerability from cvelistv5
Published
2013-12-07 00:00
Modified
2024-08-06 16:45
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T16:45:14.928Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2014:0008", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "57836", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/57836", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "64076", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/64076", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "RHSA-2013:1794", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { name: "DSA-2888", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2014/dsa-2888", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2013-4491", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-12-03T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2014:0008", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "57836", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/57836", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "64076", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/64076", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "RHSA-2013:1794", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { name: "DSA-2888", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2014/dsa-2888", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2013-4491", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2013-4491", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2014:0008", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "57836", refsource: "SECUNIA", url: "http://secunia.com/advisories/57836", }, { name: "openSUSE-SU-2014:0009", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1907", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "64076", refsource: "BID", url: "http://www.securityfocus.com/bid/64076", }, { name: "openSUSE-SU-2013:1904", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ", }, { name: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "RHSA-2014:1863", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "RHSA-2013:1794", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { name: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", refsource: "CONFIRM", url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { name: "DSA-2888", refsource: "DEBIAN", url: "http://www.debian.org/security/2014/dsa-2888", }, { name: "https://puppet.com/security/cve/cve-2013-4491", refsource: "CONFIRM", url: "https://puppet.com/security/cve/cve-2013-4491", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-4491", datePublished: "2013-12-07T00:00:00", dateReserved: "2013-06-12T00:00:00", dateUpdated: "2024-08-06T16:45:14.928Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-1854
Vulnerability from cvelistv5
Published
2013-03-19 22:00
Modified
2024-08-06 15:20
Severity ?
EPSS score ?
Summary
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T15:20:36.703Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "openSUSE-SU-2013:0667", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html", }, { name: "APPLE-SA-2013-10-22-5", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { name: "openSUSE-SU-2013:0659", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html", }, { name: "openSUSE-SU-2013:0660", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://support.apple.com/kb/HT5784", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "openSUSE-SU-2013:0664", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html", }, { name: "openSUSE-SU-2013:0668", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html", }, { name: "[ruby-security-ann] 20130318 [CVE-2013-1854] Symbol DoS vulnerability in Active Record", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain", }, { name: "RHSA-2013:0699", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0699.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-03-18T00:00:00", descriptions: [ { lang: "en", value: "The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-12-09T18:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "openSUSE-SU-2013:0667", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html", }, { name: "APPLE-SA-2013-10-22-5", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html", }, { name: "openSUSE-SU-2013:0659", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html", }, { name: "openSUSE-SU-2013:0660", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://support.apple.com/kb/HT5784", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "openSUSE-SU-2013:0664", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html", }, { name: "openSUSE-SU-2013:0668", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html", }, { name: "[ruby-security-ann] 20130318 [CVE-2013-1854] Symbol DoS vulnerability in Active Record", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain", }, { name: "RHSA-2013:0699", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0699.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-1854", datePublished: "2013-03-19T22:00:00", dateReserved: "2013-02-19T00:00:00", dateUpdated: "2024-08-06T15:20:36.703Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2011-2932
Vulnerability from cvelistv5
Published
2011-08-29 18:00
Modified
2024-08-06 23:15
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T23:15:31.926Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731435", }, { name: "45917", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/45917", }, { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "FEDORA-2011-11579", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11600", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html", }, { name: "FEDORA-2011-11386", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { name: "[rubyonrails-security] 20110816 XSS Vulnerability in the escaping function in Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2011-08-16T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a \"UTF-8 escaping vulnerability.\"", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2011-09-23T09:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731435", }, { name: "45917", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/45917", }, { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "FEDORA-2011-11579", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11600", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html", }, { name: "FEDORA-2011-11386", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { name: "[rubyonrails-security] 20110816 XSS Vulnerability in the escaping function in Ruby on Rails", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2011-2932", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a \"UTF-8 escaping vulnerability.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=731435", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=731435", }, { name: "45917", refsource: "SECUNIA", url: "http://secunia.com/advisories/45917", }, { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "FEDORA-2011-11579", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11600", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html", }, { name: "FEDORA-2011-11386", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { name: "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd", refsource: "CONFIRM", url: "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { name: "[rubyonrails-security] 20110816 XSS Vulnerability in the escaping function in Ruby on Rails", refsource: "MLIST", url: "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain", }, { name: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2011-2932", datePublished: "2011-08-29T18:00:00", dateReserved: "2011-07-27T00:00:00", dateUpdated: "2024-08-06T23:15:31.926Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-6414
Vulnerability from cvelistv5
Published
2013-12-07 00:00
Modified
2024-08-06 17:39
Severity ?
EPSS score ?
Summary
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T17:39:01.307Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2014:0008", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "57836", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/57836", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2013-6414", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-6414] Denial of Service Vulnerability in Action View", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "RHSA-2013:1794", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { name: "DSA-2888", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2014/dsa-2888", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-12-03T00:00:00", descriptions: [ { lang: "en", value: "actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2014:0008", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "57836", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/57836", }, { name: "openSUSE-SU-2014:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1907", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "openSUSE-SU-2013:1904", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2013-6414", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-6414] Denial of Service Vulnerability in Action View", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ", }, { name: "RHSA-2014:1863", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "RHSA-2013:1794", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { name: "DSA-2888", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2014/dsa-2888", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2013-6414", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2014:0008", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-0008.html", }, { name: "openSUSE-SU-2013:1906", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html", }, { name: "57836", refsource: "SECUNIA", url: "http://secunia.com/advisories/57836", }, { name: "openSUSE-SU-2014:0009", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html", }, { name: "openSUSE-SU-2013:1907", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html", }, { name: "openSUSE-SU-2013:1904", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html", }, { name: "https://puppet.com/security/cve/cve-2013-6414", refsource: "CONFIRM", url: "https://puppet.com/security/cve/cve-2013-6414", }, { name: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/", }, { name: "[ruby-security-ann] 20131203 [CVE-2013-6414] Denial of Service Vulnerability in Action View", refsource: "MLIST", url: "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ", }, { name: "RHSA-2014:1863", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2014-1863.html", }, { name: "RHSA-2013:1794", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-1794.html", }, { name: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", refsource: "CONFIRM", url: "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/", }, { name: "DSA-2888", refsource: "DEBIAN", url: "http://www.debian.org/security/2014/dsa-2888", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-6414", datePublished: "2013-12-07T00:00:00", dateReserved: "2013-11-04T00:00:00", dateUpdated: "2024-08-06T17:39:01.307Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2011-2930
Vulnerability from cvelistv5
Published
2011-08-29 18:00
Modified
2024-08-06 23:15
Severity ?
EPSS score ?
Summary
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T23:15:31.901Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11386", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "DSA-2301", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2011/dsa-2301", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "[rubyonrails-security] 20110816 SQL Injection Vulnerability in quote_table_name", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731438", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2011-08-16T00:00:00", descriptions: [ { lang: "en", value: "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2011-09-23T09:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11386", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "DSA-2301", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2011/dsa-2301", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "[rubyonrails-security] 20110816 SQL Injection Vulnerability in quote_table_name", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=731438", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2011-2930", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[oss-security] 20110817 CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/17/1", }, { name: "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85", refsource: "CONFIRM", url: "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/13", }, { name: "FEDORA-2011-11386", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html", }, { name: "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/19/11", }, { name: "DSA-2301", refsource: "DEBIAN", url: "http://www.debian.org/security/2011/dsa-2301", }, { name: "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/20/1", }, { name: "[rubyonrails-security] 20110816 SQL Injection Vulnerability in quote_table_name", refsource: "MLIST", url: "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/14", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=731438", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=731438", }, { name: "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/08/22/5", }, { name: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2011-2930", datePublished: "2011-08-29T18:00:00", dateReserved: "2011-07-27T00:00:00", dateUpdated: "2024-08-06T23:15:31.901Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-3465
Vulnerability from cvelistv5
Published
2012-08-10 10:00
Modified
2024-08-06 20:05
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.
References
| ▼ | URL | Tags |
|---|---|---|
| http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ | x_refsource_CONFIRM | |
| http://secunia.com/advisories/50694 | third-party-advisory, x_refsource_SECUNIA | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT | |
| https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T20:05:12.646Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { name: "50694", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/50694", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20120810 XSS Vulnerability in strip_tags", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-08-09T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2013-02-07T10:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { name: "50694", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/50694", }, { name: "RHSA-2013:0154", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20120810 XSS Vulnerability in strip_tags", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-3465", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", refsource: "CONFIRM", url: "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/", }, { name: "50694", refsource: "SECUNIA", url: "http://secunia.com/advisories/50694", }, { name: "RHSA-2013:0154", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2013-0154.html", }, { name: "[rubyonrails-security] 20120810 XSS Vulnerability in strip_tags", refsource: "MLIST", url: "https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-3465", datePublished: "2012-08-10T10:00:00", dateReserved: "2012-06-14T00:00:00", dateUpdated: "2024-08-06T20:05:12.646Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-0277
Vulnerability from cvelistv5
Published
2013-02-13 01:00
Modified
2024-08-06 14:18
Severity ?
EPSS score ?
Summary
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
References
| ▼ | URL | Tags |
|---|---|---|
| http://securitytracker.com/id?1028109 | vdb-entry, x_refsource_SECTRACK | |
| https://puppet.com/security/cve/cve-2013-0277 | x_refsource_CONFIRM | |
| http://support.apple.com/kb/HT5784 | x_refsource_CONFIRM | |
| http://www.debian.org/security/2013/dsa-2620 | vendor-advisory, x_refsource_DEBIAN | |
| http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html | vendor-advisory, x_refsource_APPLE | |
| http://www.osvdb.org/90073 | vdb-entry, x_refsource_OSVDB | |
| https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html | vendor-advisory, x_refsource_SUSE | |
| http://www.openwall.com/lists/oss-security/2013/02/11/6 | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ | x_refsource_CONFIRM | |
| http://secunia.com/advisories/52112 | third-party-advisory, x_refsource_SECUNIA |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T14:18:09.560Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "1028109", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://securitytracker.com/id?1028109", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://puppet.com/security/cve/cve-2013-0277", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://support.apple.com/kb/HT5784", }, { name: "DSA-2620", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2013/dsa-2620", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", "x_transferred", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "90073", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://www.osvdb.org/90073", }, { name: "[rubyonrails-security] 20130211 Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain", }, { name: "openSUSE-SU-2013:0462", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html", }, { name: "[oss-security] 20130211 Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/6", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/", }, { name: "52112", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/52112", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2013-02-11T00:00:00", descriptions: [ { lang: "en", value: "ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T10:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "1028109", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://securitytracker.com/id?1028109", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://puppet.com/security/cve/cve-2013-0277", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://support.apple.com/kb/HT5784", }, { name: "DSA-2620", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2013/dsa-2620", }, { name: "APPLE-SA-2013-06-04-1", tags: [ "vendor-advisory", "x_refsource_APPLE", ], url: "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", }, { name: "90073", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://www.osvdb.org/90073", }, { name: "[rubyonrails-security] 20130211 Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain", }, { name: "openSUSE-SU-2013:0462", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html", }, { name: "[oss-security] 20130211 Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/6", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/", }, { name: "52112", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/52112", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2013-0277", datePublished: "2013-02-13T01:00:00", dateReserved: "2012-12-06T00:00:00", dateUpdated: "2024-08-06T14:18:09.560Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }