Vulnerabilites related to rubyonrails - rails
Vulnerability from fkie_nvd
Published
2011-02-14 21:00
Modified
2025-04-11 00:51
Severity ?
Summary
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 2.1.0 | |
| rubyonrails | rails | 2.1.1 | |
| rubyonrails | rails | 2.1.2 | |
| rubyonrails | rails | 2.2.0 | |
| rubyonrails | rails | 2.2.1 | |
| rubyonrails | rails | 2.2.2 | |
| rubyonrails | rails | 2.3.2 | |
| rubyonrails | rails | 2.3.3 | |
| rubyonrails | rails | 2.3.4 | |
| rubyonrails | rails | 2.3.9 | |
| rubyonrails | rails | 2.3.10 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.3 | |
| rubyonrails | rails | 3.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage \"combinations of browser plugins and HTTP redirects,\" a related issue to CVE-2011-0696."
},
{
"lang": "es",
"value": "Ruby on Rails v2.1.x, v2.2.x, and v2.3.x anteriores a v2.3.11,y v3.x anteriores a v3.0.4 no valida correctamente las solicitudes HTTP que contienen una cabecera X-Requested-With, que le hace m\u00e1s f\u00e1cil para los atacantes remotos para llevar a cabo una vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en AJAX o peticiones API, que aprovechan \"combinaciones de complementos del navegador y redirecciones\" esta relacionado con CVE-2011-0696"
}
],
"id": "CVE-2011-0447",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-02-14T21:00:03.087",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source\u0026output=gplain"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/43274"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/43666"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2011/dsa-2247"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/46291"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1025060"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2011/0587"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2011/0877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2247"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/46291"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1025060"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0877"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-27 16:15
Modified
2025-02-13 17:13
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9BC4F9D8-AC45-4E34-BBD0-1DEE885FBB30",
"versionEndExcluding": "7.0.8.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F37CC5DE-B363-478B-B8F2-393412E05802",
"versionEndExcluding": "7.1.3.1",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in \"_html\", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1."
},
{
"lang": "es",
"value": "Rails es un framework de aplicaci\u00f3n web. Existe una posible vulnerabilidad XSS al utilizar los ayudantes de traducci\u00f3n en Action Controller. Las aplicaciones que utilizan m\u00e9todos de traducci\u00f3n como traducir o t en un controlador, con una clave que termina en \"_html\", una clave :default que contiene entradas de usuario que no son de confianza y la cadena resultante se usa en una vista, pueden ser susceptibles a una vulnerabilidad XSS. La vulnerabilidad se solucion\u00f3 en 7.1.3.1 y 7.0.8.1."
}
],
"id": "CVE-2024-26143",
"lastModified": "2025-02-13T17:13:21.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-27T16:15:46.800",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0004/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 2.3.2 | |
| rubyonrails | rails | 2.3.3 | |
| rubyonrails | rails | 2.3.4 | |
| rubyonrails | rails | 2.3.9 | |
| rubyonrails | rails | 2.3.10 | |
| rubyonrails | rails | 2.3.11 | |
| rubyonrails | rails | 2.3.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header."
},
{
"lang": "es",
"value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CRLF) actionpack/lib/action_controller/response.rb en Ruby on Rails v2.3.x antes dev 2.3.13 permite a atacantes remotos inyectar cabeceras HTTP de su elecci\u00f3n y llevar a cabo ataques HTTP de divisi\u00f3n de respuesta a trav\u00e9s de la cabecera Content-Type."
}
],
"id": "CVE-2011-3186",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-08-29T18:55:01.643",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/bbe342e43abaa78c?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/45921"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=732156"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/bbe342e43abaa78c?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/45921"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=732156"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-08-14 21:04
Modified
2025-04-03 01:03
Severity ?
Summary
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 0.9.1 | |
| rubyonrails | rails | 0.9.2 | |
| rubyonrails | rails | 0.9.3 | |
| rubyonrails | rails | 0.9.4 | |
| rubyonrails | rails | 0.9.4.1 | |
| rubyonrails | rails | 0.10.0 | |
| rubyonrails | rails | 0.10.1 | |
| rubyonrails | rails | 0.11.0 | |
| rubyonrails | rails | 0.11.1 | |
| rubyonrails | rails | 0.12.0 | |
| rubyonrails | rails | 0.12.1 | |
| rubyonrails | rails | 0.13.0 | |
| rubyonrails | rails | 0.13.1 | |
| rubyonrails | rails | 0.14.1 | |
| rubyonrails | rails | 0.14.2 | |
| rubyonrails | rails | 0.14.3 | |
| rubyonrails | rails | 0.14.4 | |
| rubyonrails | rails | 1.0.0 | |
| rubyonrails | rails | 1.1.0 | |
| rubyonrails | rails | 1.1.1 | |
| rubyonrails | rails | 1.1.2 | |
| rubyonrails | rails | 1.1.3 | |
| rubyonrails | ruby_on_rails | * | |
| rubyonrails | ruby_on_rails | 0.5.0 | |
| rubyonrails | ruby_on_rails | 0.5.5 | |
| rubyonrails | ruby_on_rails | 0.5.6 | |
| rubyonrails | ruby_on_rails | 0.5.7 | |
| rubyonrails | ruby_on_rails | 0.6.0 | |
| rubyonrails | ruby_on_rails | 0.6.5 | |
| rubyonrails | ruby_on_rails | 0.7.0 | |
| rubyonrails | ruby_on_rails | 0.8.0 | |
| rubyonrails | ruby_on_rails | 0.8.5 | |
| rubyonrails | ruby_on_rails | 0.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81365A89-D8F1-435A-B13B-C746C9FDCE67",
"versionEndIncluding": "1.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with \"severe\" or \"serious\" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112."
},
{
"lang": "es",
"value": "Ruby on Rails anterior a 1.1.5 permite a un atacante remoto ejecutar c\u00f3digo Ruby con un impacto \"severo\" o \"serio\" a trav\u00e9s de una respuesta File Upload con una cabecera HTTP que modifica la variable LOAD_PATH, una vulnerabilidad diferente que CVE-2006-4112."
}
],
"evaluatorSolution": "This vulnerability is fully addressed in the following product release:\r\nRuby on Rails, Ruby on Rails, 1.1.6",
"id": "CVE-2006-4111",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-08-14T21:04:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21466"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21749"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1016673"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2006_21_sr.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/19454"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2006/3237"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21749"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1016673"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2006_21_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/19454"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2006/3237"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 18:15
Modified
2024-11-21 05:38
Severity ?
Summary
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0 | Mailing List, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/189878 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://www.debian.org/security/2020/dsa-4766 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/189878 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2020/dsa-4766 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4357891D-A07C-4E1B-B540-92D6C477E7BB",
"versionEndExcluding": "5.2.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12B5617A-91AC-4B94-BE1A-057DBF322808",
"versionEndExcluding": "6.0.3.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CSRF vulnerability exists in rails \u003c= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de tipo CSRF en el m\u00f3dulo rails versiones anteriores a 6.0.3 incluy\u00e9ndola, rails-ujs que podr\u00eda permitir a atacantes enviar tokens CSRF a dominios incorrectos"
}
],
"id": "CVE-2020-8167",
"lastModified": "2024-11-21T05:38:25.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T18:15:11.163",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/189878"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/189878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-10 10:34
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BBBE2A-2BDA-4930-8E26-A1E3C6575F81",
"versionEndIncluding": "3.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup."
},
{
"lang": "es",
"value": "Cross-site scripting (XSS) en actionpack/lib/action_view/helpers/sanitize_helper.rb en el (helper) strip_tags en Ruby on Rails anterior a v3.0.17, v3.1.x anterior a v3.1.8, y v3.2.x anterio a v3.2.8 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de c\u00f3digo HTML con formato incorrecto."
}
],
"id": "CVE-2012-3465",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-10T10:34:47.937",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/50694"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/50694"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-11-30 19:29
Modified
2024-11-21 03:52
Severity ?
Summary
A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://groups.google.com/d/msg/rubyonrails-security/3KQRnXDIuLg/mByx5KkqBAAJ | Exploit, Mailing List, Mitigation, Third Party Advisory | |
| support@hackerone.com | https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/d/msg/rubyonrails-security/3KQRnXDIuLg/mByx5KkqBAAJ | Exploit, Mailing List, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23319E2C-3EFF-4360-86C4-2CCC08333588",
"versionEndExcluding": "5.2.1.1",
"versionStartIncluding": "5.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A bypass vulnerability in Active Storage \u003e= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1."
},
{
"lang": "es",
"value": "Una vulnerabilidad de omisi\u00f3n en Active Storage \u003e= versi\u00f3n 5.2.0 de Google Cloud Storage and Disk services, permite a un atacante modificar los par\u00e1metros `content-disposition` y` content-type` que se pueden usar con archivos HTML y ejecutarlos en l\u00ednea. Adem\u00e1s, si se combina con otras t\u00e9cnicas como el bombardeo de cookies y los manifiestos de AppCache especialmente creados, un atacante puede obtener acceso a URL firmadas privadas dentro de una ruta de almacenamiento espec\u00edfica. Esta vulnerabilidad ha sido corregida en la versi\u00f3n 5.2.1.1."
}
],
"id": "CVE-2018-16477",
"lastModified": "2024-11-21T03:52:50.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-30T19:29:00.297",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/3KQRnXDIuLg/mByx5KkqBAAJ"
},
{
"source": "support@hackerone.com",
"tags": [
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/3KQRnXDIuLg/mByx5KkqBAAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 05:38
Severity ?
Summary
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| opensuse | backports_sle | 15.0 | |
| opensuse | leap | 15.1 | |
| opensuse | leap | 15.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4357891D-A07C-4E1B-B540-92D6C477E7BB",
"versionEndExcluding": "5.2.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12B5617A-91AC-4B94-BE1A-057DBF322808",
"versionEndExcluding": "6.0.3.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
"matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de deserializaci\u00f3n de datos no confiables en rails versiones anteriores a 5.2.4.3, rails versiones anteriores a 6.0.3.1, que pueden permitir a un atacante suministrar informaci\u00f3n en la que pueden ser filtrados inadvertidamente par\u00e1metros fromStrong"
}
],
"id": "CVE-2020-8164",
"lastModified": "2024-11-21T05:38:25.023",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:18.677",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/292797"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/292797"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-04-07 23:59
Modified
2025-04-12 10:46
Severity ?
Summary
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
"matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
"matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBD4FBDC-F05B-4CDD-8928-7122397A7651",
"versionEndIncluding": "3.2.22.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method."
},
{
"lang": "es",
"value": "Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.2, 4.x en versiones anteriores a 4.1.14.2 y 4.2.x en versiones anteriores a 4.2.5.2 permite a atacantes remotos ejecutar c\u00f3digo Ruby arbitrario aprovechando el uso no restringido del m\u00e9todo render de una aplicaci\u00f3n."
}
],
"id": "CVE-2016-2098",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-04-07T23:59:06.643",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3509"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/83725"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1035122"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
},
{
"source": "secalert@redhat.com",
"url": "https://www.exploit-db.com/exploits/40086/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3509"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/83725"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1035122"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/40086/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | html_sanitizer | * | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.2 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5.1 | |
| rubyonrails | rails | 4.2.5.2 | |
| rubyonrails | rails | 4.2.6 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4CBB3D93-016A-43CA-9325-3F5D58DD4FD4",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
"matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en lib/rails/html/scrubbers.rb en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un nodo CDATA manipulado."
}
],
"id": "CVE-2015-7580",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:03.970",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-01-04 04:46
Modified
2025-04-11 00:51
Severity ?
Summary
The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ | Exploit | |
| cve@mitre.org | http://openwall.com/lists/oss-security/2013/01/03/12 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html | Broken Link, Exploit | |
| cve@mitre.org | http://www.securityfocus.com/bid/57084 | Broken Link, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://openwall.com/lists/oss-security/2013/01/03/12 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html | Broken Link, Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/57084 | Broken Link, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E36D9DF-926C-4763-AD5F-367813F8EF80",
"versionEndExcluding": "3.2.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product."
},
{
"lang": "es",
"value": "La gema Authlogic para Ruby on Rails, cuando se utiliza con algunas versiones antes de v3.2.10, hace llamadas al m\u00e9todo find_by_id potencialmente inseguras que podr\u00eda permitir a atacantes remotos realizar ataques de inyecci\u00f3n SQL CVE-2012-6496 a trav\u00e9s de un par\u00e1metro modificado en ambientes que han conocido un valor secret_token, como lo demuestra un valor contenido en secret_token.rb en un producto de c\u00f3digo abierto."
}
],
"id": "CVE-2012-6497",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-01-04T04:46:02.993",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2013/01/03/12"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Exploit"
],
"url": "http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/57084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2013/01/03/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Exploit"
],
"url": "http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/57084"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-03-19 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C230384C-A52A-4167-A07D-0E06138EE246",
"versionEndIncluding": "2.3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences."
},
{
"lang": "es",
"value": "El m\u00e9todo sanitize_css en lib/action_controller/vendor/html-scanner/html/sanitizer.rb en el componente Action Pack en Ruby on Rails anterior a v2.3.18, v3.0.x y v3.1.x anterior a v3.1.12, y v3.2.x anterior a v3.2.13, no menaja adecuadamente los caracteres \\n (nueva l\u00ednea), lo que facilita a atacantes remotos llevar a cabo ataques XSS a trav\u00e9s de secuencias CSS."
}
],
"id": "CVE-2013-1855",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-03-19T22:55:01.027",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-02-21 18:00
Modified
2025-04-11 00:51
Severity ?
Summary
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.3 | |
| rubyonrails | rails | 3.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument."
},
{
"lang": "es",
"value": "Ruby on Rails v3.0.x anteriores a v3.0.4 no garantiza que los argumentos de la funci\u00f3n de especificar los valores l\u00edmite de n\u00famero entero, lo que facilita a los atacantes remotos para realizar ataques de inyecci\u00f3n SQL a trav\u00e9s de un argumento no num\u00e9rico."
}
],
"id": "CVE-2011-0448",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-02-21T18:00:01.287",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source\u0026output=gplain"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43278"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1025063"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2011/0877"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43278"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1025063"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-11 16:15
Modified
2024-11-21 05:50
Severity ?
Summary
The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. This is similar to CVE-2021-22881. Strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, `config.hosts << "sub.example.com"` to permit a request with a Host header value of `sub-example.com`.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867 | Mitigation, Patch, Vendor Advisory | |
| support@hackerone.com | https://hackerone.com/reports/1148025 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867 | Mitigation, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1148025 | Permissions Required, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | 6.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CAFC5D0-4073-430A-B9A1-5CF37A75EC7F",
"versionEndExcluding": "6.1.3.2",
"versionStartIncluding": "6.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:6.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B4431B78-31D7-4845-920B-238B355BF890",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain \"allowed host\" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. This is similar to CVE-2021-22881. Strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, `config.hosts \u003c\u003c \"sub.example.com\"` to permit a request with a Host header value of `sub-example.com`."
},
{
"lang": "es",
"value": "El actionpack ruby gem versiones anteriores a 6.1.3.2, sufre una posible vulnerabilidad de redireccionamiento abierto. Las cabeceras de Host especialmente dise\u00f1adas en combinaci\u00f3n con determinados formatos \"allowed host\" pueden hacer que el middleware Host Authorization de Action Pack redirija a usuarios hacia un sitio web malicioso. Esto es similar a CVE-2021-22881. Las cadenas en config.hosts que no tienen un punto inicial se convierten en expresiones regulares sin un escape apropiado. Esto hace que, por ejemplo, \"config.hosts (( \"sub.example.com\"\" permita una petici\u00f3n con un valor de cabecera Host de \"sub-example.com\""
}
],
"id": "CVE-2021-22903",
"lastModified": "2024-11-21T05:50:52.903",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-11T16:15:11.437",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867"
},
{
"source": "support@hackerone.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1148025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1148025"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-11 16:15
Modified
2024-11-21 05:50
Severity ?
Summary
The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869 | Exploit, Mitigation, Patch, Vendor Advisory | |
| support@hackerone.com | https://hackerone.com/reports/1101125 | Permissions Required, Third Party Advisory | |
| support@hackerone.com | https://security.netapp.com/advisory/ntap-20210805-0009/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869 | Exploit, Mitigation, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1101125 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20210805-0009/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09E7ED24-FC47-4C5C-B34D-9EC1235E9D0B",
"versionEndExcluding": "5.2.4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED2D04BE-4E2E-4E5D-96F1-E6C96E1FE9B3",
"versionEndExcluding": "5.2.6",
"versionStartIncluding": "5.2.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B73C8592-5E69-4033-9BDC-52D27EE3D25D",
"versionEndExcluding": "6.0.3.7",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C1755DF8-CDBB-483F-86BF-E5D4D9F4DBE7",
"versionEndExcluding": "6.1.3.2",
"versionStartIncluding": "6.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication."
},
{
"lang": "es",
"value": "El actionpack ruby gem versiones anteriores a 6.1.3.2, 6.0.3.7, 5.2.4.6 y 5.2.6, sufre una posible vulnerabilidad de denegaci\u00f3n de servicio en la l\u00f3gica de autenticaci\u00f3n de tokens en Action Controller debido a una expresi\u00f3n regular demasiado permisiva. El c\u00f3digo afectado usa las funciones \"authenticate_or_request_with_http_token\" o \"authenticate_with_http_token\" para la autenticaci\u00f3n de peticiones"
}
],
"id": "CVE-2021-22904",
"lastModified": "2024-11-21T05:50:53.027",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-11T16:15:11.517",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869"
},
{
"source": "support@hackerone.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1101125"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1101125"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-12-16 01:30
Modified
2025-04-09 00:30
Severity ?
Summary
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 2.1.0 | |
| rubyonrails | rails | 2.1.1 | |
| rubyonrails | rails | 2.1.2 | |
| rubyonrails | rails | 2.2.0 | |
| rubyonrails | rails | 2.2.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain."
},
{
"lang": "es",
"value": "Ruby on Rails v2.1 anteriores a v2.1.3 y v2.2.x anteriores a v2.2.2 no verifica los token en peticiones con ciertos tipos de contenido, lo que permite a atacantes remotos evitar la protecci\u00f3n contra la falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) para peticiones de aplicaciones que la requieren con se demuestra en el uso de texto plano."
}
],
"id": "CVE-2008-7248",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-12-16T01:30:00.217",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"
},
{
"source": "secalert@redhat.com",
"url": "http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36600"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/38915"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2009/11/28/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2009/12/02/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/38915"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2009/11/28/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2009/12/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2544"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-12 21:15
Modified
2024-11-21 01:18
Severity ?
Summary
The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/cve-2010-3299 | Broken Link | |
| secalert@redhat.com | https://seclists.org/oss-sec/2010/q3/357 | Mailing List, Third Party Advisory | |
| secalert@redhat.com | https://security-tracker.debian.org/tracker/CVE-2010-3299 | Third Party Advisory | |
| secalert@redhat.com | https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/cve-2010-3299 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/oss-sec/2010/q3/357 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2010-3299 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 2.3 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "27E9CF3D-B93B-4E9F-83D0-668DBD3132B2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks."
},
{
"lang": "es",
"value": "Las funciones de cifrado y descifrado en Ruby on Rails versi\u00f3n 2.3, son vulnerables a los ataques de tipo padding oracle."
}
],
"id": "CVE-2010-3299",
"lastModified": "2024-11-21T01:18:27.953",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-12T21:15:10.333",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2010-3299"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/oss-sec/2010/q3/357"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-3299"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2010-3299"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/oss-sec/2010/q3/357"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-3299"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-311"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-27 12:15
Modified
2024-11-21 05:50
Severity ?
Summary
A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://hackerone.com/reports/1106652 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://security.netapp.com/advisory/ntap-20210805-0009/ | Third Party Advisory | |
| support@hackerone.com | https://www.debian.org/security/2021/dsa-4929 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1106652 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20210805-0009/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2021/dsa-4929 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | actionpack_page-caching | - | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7292312E-A419-4CA5-AF38-236C358B817B",
"versionEndExcluding": "5.2.4.6",
"versionStartIncluding": "5.2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "549D40C4-8482-4385-BECB-84ED1BD31F15",
"versionEndExcluding": "6.0.3.7",
"versionStartIncluding": "6.0.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08B87F90-A91D-4960-A95B-91262C6042F6",
"versionEndExcluding": "6.1.3.1",
"versionStartIncluding": "6.1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:actionpack_page-caching:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CDBA7A4A-9B3B-4185-8FAD-C5BF0E805F9E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A possible information disclosure / unintended method execution vulnerability in Action Pack \u003e= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input."
},
{
"lang": "es",
"value": "Una posible vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n y ejecuci\u00f3n de m\u00e9todo no intecional en Action Pack versiones posteriores a 2.0.0 e incluy\u00e9ndola, cuando se usa la ayuda \"redirect_to\" o \"polymorphic_url\" con la entrada de un usuario no confiable"
}
],
"id": "CVE-2021-22885",
"lastModified": "2024-11-21T05:50:50.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-27T12:15:07.797",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1106652"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4929"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1106652"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4929"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-11 16:15
Modified
2024-11-21 05:50
Severity ?
Summary
The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866 | Exploit, Mitigation, Patch, Vendor Advisory | |
| support@hackerone.com | https://hackerone.com/reports/1138654 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866 | Exploit, Mitigation, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1138654 | Permissions Required, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B73C8592-5E69-4033-9BDC-52D27EE3D25D",
"versionEndExcluding": "6.0.3.7",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DEFD8950-2F5E-4D75-BEAD-E8443B76F1C4",
"versionEndExcluding": "6.1.0.2",
"versionStartIncluding": "6.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine."
},
{
"lang": "es",
"value": "El actionpack ruby gem (un marco de trabajo para manejar y responder a peticiones web en Rails) versiones anteriores a 6.0.3.7, 6.1.3.2 sufre de una posible vulnerabilidad de denegaci\u00f3n de servicio en el analizador de tipos Mime de Action Dispatch. Unas cabeceras Accept cuidadosamente dise\u00f1adas pueden hacer que el analizador de tipos mime de Action Dispatch realice un retroceso catastr\u00f3fico en el motor de expresiones regulares"
}
],
"id": "CVE-2021-22902",
"lastModified": "2024-11-21T05:50:52.777",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-11T16:15:11.360",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866"
},
{
"source": "support@hackerone.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1138654"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1138654"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-08 10:26
Modified
2025-04-11 00:51
Severity ?
Summary
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method."
},
{
"lang": "es",
"value": "El m\u00e9todo decode_credentials method en actionpack/lib/action_controller/metal/http_authentication.rb en Ruby on Rails 3.x anterior a 3.0.16, 3.1.x anterior a 3.1.7, y 3.2.x anterior a 3.2.7 convierte las cadenas Digest Authentication a s\u00edmbolos, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio aprovechando el acceso a una aplicaci\u00f3n que se utiliza un m\u00e9todo de ayuda with_http_digest, como se demostr\u00f3 con el m\u00e9todo authenticate_or_request_with_http_digest."
}
],
"id": "CVE-2012-3424",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-08-08T10:26:19.063",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en\u0026dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en\u0026dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-28 00:00
Modified
2025-04-11 00:51
Severity ?
Summary
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 2.3.9 | |
| rubyonrails | rails | 3.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs."
},
{
"lang": "es",
"value": "Ruby on Rails v2.3.9 y v3.0.0 no controla correctamente los atributos anidados, lo cual permite a atacantes remotos modificar registros a su elecci\u00f3n, cambiando los nombres de los par\u00e1metros por formularios de entrada."
}
],
"id": "CVE-2010-3933",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-28T00:00:05.673",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41930"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1024624"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2719"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41930"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1024624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2719"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C068362-0D49-4117-BC96-780AA802CE4E",
"versionEndIncluding": "3.2.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header."
},
{
"lang": "es",
"value": "actionpack/lib/action_dispatch/http/mime_type.rb en Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no restringe adecuadamente el uso de la cach\u00e9 de tipo MIME, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de memoria) a trav\u00e9s de una cabecera HTTP Accept manipulada."
}
],
"id": "CVE-2016-0751",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:05.877",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/81800"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/81800"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-02 19:15
Modified
2024-11-21 05:38
Severity ?
Summary
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0 | Mailing List, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/899069 | Permissions Required, Third Party Advisory | |
| support@hackerone.com | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/899069 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| fedoraproject | fedora | 33 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC7246C-7C01-44FB-BFD2-0A888B84EE04",
"versionEndExcluding": "6.0.3.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A denial of service vulnerability exists in Rails \u003c6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de denegaci\u00f3n de servicio en Rails versiones anteriores a 6.0.3.2, que permiti\u00f3 a un usuario no confiable ejecutar cualquier migraci\u00f3n pendiente en una aplicaci\u00f3n Rails que se ejecuta en producci\u00f3n"
}
],
"id": "CVE-2020-8185",
"lastModified": "2024-11-21T05:38:27.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-02T19:15:12.747",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0"
},
{
"source": "support@hackerone.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/899069"
},
{
"source": "support@hackerone.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/899069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-01-30 12:00
Modified
2025-04-11 00:51
Severity ?
Summary
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156."
},
{
"lang": "es",
"value": "lib/active_support/json/backends/yaml.rb en Ruby on Rails v2.3.x anterior a v2.3.16 y v3.0.x anterior a v3.0.20 no convierte correctamente los datos de tipo JSON a datos YAML para el procesamiento por el analizador YAML, lo cual permite a atacantes remotos ejecutar c\u00f3digo arbitrario, conducir ataques de inyecci\u00f3n SQL, o saltare la autentificaci\u00f3n a trav\u00e9s de la modificaci\u00f3n de datos que disparan una descodificaci\u00f3n insegura, esta vulnerabilidad es diferente a CVE-2013-0156."
}
],
"id": "CVE-2013-0333",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-01-30T12:00:08.930",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2013/dsa-2613"
},
{
"source": "secalert@redhat.com",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2013-0333"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0201.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0202.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0203.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2013/dsa-2613"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2013-0333"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-12-07 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*",
"matchCriteriaId": "1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF",
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38F53FB7-A292-4273-BFBE-E231235E845D",
"versionEndIncluding": "3.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "991F368C-CEB5-4DE6-A7EE-C341F358A4CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"matchCriteriaId": "01DB164E-E08E-4649-84BD-15B4159A3AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"matchCriteriaId": "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching."
},
{
"lang": "es",
"value": "actionpack/lib/action_view/lookup_context.rb en Action View en Ruby on Rails 3.x anteriores a 3.2.16 y 4.x anteriores a 4.0.2 permite a atacantes remotos causar denegaci\u00f3n de servicio (consumo de memoria) a trav\u00e9s de una cabecera conteniendo un tipo MIME inv\u00e1lido que conduce a un cacheo excesivo."
}
],
"id": "CVE-2013-6414",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-12-07T00:55:03.693",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57836"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "secalert@redhat.com",
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2013-6414"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57836"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2013-6414"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-06 21:15
Modified
2024-11-21 05:38
Severity ?
Summary
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ | Mailing List, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/904059 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/904059 | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F559E5-D93F-40E5-9630-D7B364B4BED7",
"versionEndExcluding": "6.0.3.4",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In actionpack gem \u003e= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware."
},
{
"lang": "es",
"value": "En actionpack gem versiones posteriores a 6.0.0 incluy\u00e9ndola, se presenta una posible vulnerabilidad de tipo XSS cuando una aplicaci\u00f3n se ejecuta en modo development permitiendo a un atacante enviar o insertar (en otra p\u00e1gina) una URL especialmente dise\u00f1ada que puede permitir al atacante ejecutar JavaScript en el contexto de la aplicaci\u00f3n local.\u0026#xa0;Esta vulnerabilidad se encuentra en el middleware de Excepciones Accionables"
}
],
"id": "CVE-2020-8264",
"lastModified": "2024-11-21T05:38:37.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-06T21:15:14.363",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/904059"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/904059"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-06-22 14:55
Modified
2025-04-11 00:51
Severity ?
Summary
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695."
},
{
"lang": "es",
"value": "El componente Active Record en Ruby on Rails v3.0.x antes de v3.0.13, v3.1.x antes de v3.1.5 y v3.2.x antes de 3.2.4 no implementan correctamente el paso de los datos de la solicitud a un m\u00e9todo \u0027where\u0027 en la clase ActiveRecord, lo que permite a atacantes remotos llevar a cabo determinados ataques de inyecci\u00f3n SQL a trav\u00e9s de par\u00e1metros de consulta anidadas que se aprovechan de una recursividad no deseada. Se trata de un problema relacionado con el CVE-2012-2695."
}
],
"id": "CVE-2012-2661",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-06-22T14:55:01.067",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-02-13 01:55
Modified
2025-04-11 00:51
Severity ?
Summary
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML."
},
{
"lang": "es",
"value": "Active Record en Ruby on Rails v3.x anteriores a v3.1.0 y v2.3.x anteriores a v2.3.17 permite a atacantes remotos causar una denegaci\u00f3n de servicio o ejecuci\u00f3n de c\u00f3digo arbitrario a trav\u00e9s de atributos serializados manipulados que causan al asistente +serialize+ la des-serializaci\u00f3n arbitraria del YAML.\r\n\r\n"
}
],
"id": "CVE-2013-0277",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-02-13T01:55:05.230",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/52112"
},
{
"source": "secalert@redhat.com",
"url": "http://securitytracker.com/id?1028109"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2013/dsa-2620"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/6"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/90073"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2013-0277"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/52112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1028109"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2013/dsa-2620"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/90073"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2013-0277"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-11 18:15
Modified
2024-11-21 05:50
Severity ?
Summary
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAA9CFA-AD3B-4CE9-922F-D056914CB0EF",
"versionEndExcluding": "5.2.4.5",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "817BE0F5-136C-460E-816D-74B3F6663BA8",
"versionEndExcluding": "6.0.3.5",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98CE6993-089E-454B-8156-011E03FC3C94",
"versionEndExcluding": "6.1.2.1",
"versionStartIncluding": "6.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input."
},
{
"lang": "es",
"value": "El adaptador PostgreSQL en Active Record versiones anteriores a 6.1.2.1, 6.0.3.5, 5.2.4.5, sufre una vulnerabilidad de denegaci\u00f3n de servicio de expresi\u00f3n regular (REDoS).\u0026#xa0;Una entrada cuidadosamente dise\u00f1ada puede causar que la comprobaci\u00f3n de la entrada en el tipo \"money\" del adaptador de PostgreSQL en Active Record pase demasiado tiempo en una expresi\u00f3n regular, resultando en la posibilidad de un ataque DoS.\u0026#xa0;Esto solo afecta a las aplicaciones Rails que usan PostgreSQL junto con las columnas de tipo money que toman la entrada del usuario"
}
],
"id": "CVE-2021-22880",
"lastModified": "2024-11-21T05:50:49.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-11T18:15:17.333",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1023899"
},
{
"source": "support@hackerone.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/"
},
{
"source": "support@hackerone.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4929"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1023899"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4929"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-11-08 11:55
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6646610D-279B-4AEC-B445-981E7784EE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
"matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
"matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*",
"matchCriteriaId": "A499584B-6E2E-42F3-B0CE-DA7BDD732897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*",
"matchCriteriaId": "69702127-AB96-4FE0-9AC4-FBE7B8CA77E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en actionpack/lib/action_dispatch/middleware/static.rb en Action Pack en Ruby on Rails 3.x anterior a 3.2.20, 4.0.x anterior a 4.0.11, 4.1.x anterior a 4.1.7, y 4.2.x anterior a 4.2.0.beta3, cuando serve_static_assets est\u00e1 habilitado, permite a atacantes remotos determinar la existencia de ficheros fuera del root de la aplicaci\u00f3n a trav\u00e9s de una secuencia /..%2F."
}
],
"id": "CVE-2014-7818",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-08T11:55:02.977",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2014-7829"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2014-7829"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-04 20:15
Modified
2024-11-21 09:14
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | 7.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EEC8C716-9842-478E-B714-06C0DD1CDB1C",
"versionEndExcluding": "7.1.3.4",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:7.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "5B5E3A5F-5ACA-4A9C-A934-BB8AEB639D3B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2."
},
{
"lang": "es",
"value": "Action Text trae contenido de texto enriquecido y edici\u00f3n a Rails. Las instancias de ActionText::Attachable::ContentAttachment incluidas dentro de una etiqueta rich_text_area podr\u00edan contener HTML no sanitizado. Esta vulnerabilidad se solucion\u00f3 en 7.1.3.4 y 7.2.0.beta2."
}
],
"id": "CVE-2024-32464",
"lastModified": "2024-11-21T09:14:58.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-04T20:15:11.247",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-07-26 22:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.1.0 | |
| rubyonrails | rails | 3.2.0 | |
| rubyonrails | rails | 3.2.1 | |
| rubyonrails | rails | 3.2.2 | |
| rubyonrails | rails | 3.2.3 | |
| rubyonrails | rails | 3.2.4 | |
| rubyonrails | rails | 3.2.5 | |
| rubyonrails | rails | 3.2.6 | |
| rubyonrails | rails | 3.2.7 | |
| rubyonrails | rails | 3.2.8 | |
| rubyonrails | rails | 3.2.9 | |
| rubyonrails | rails | 3.2.10 | |
| rubyonrails | rails | 3.2.11 | |
| rubyonrails | rails | 3.2.12 | |
| rubyonrails | rails | 3.2.13 | |
| rubyonrails | rails | 3.2.15 | |
| rubyonrails | rails | 3.2.16 | |
| rubyonrails | rails | 3.2.17 | |
| rubyonrails | rails | 4.1.0 | |
| rubyonrails | rails | 4.1.1 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.3 | |
| rubyonrails | rails | 4.1.4 | |
| rubyonrails | rails | 4.1.5 | |
| rubyonrails | rails | 4.1.6 | |
| rubyonrails | rails | 4.1.7 | |
| rubyonrails | rails | 4.1.8 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | ruby_on_rails | 3.2.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*",
"matchCriteriaId": "C0406FF0-30F5-40E2-B9B8-FE465D923DE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
"matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
"matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B7A927B-7E18-44B5-9307-E602790F8AB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
},
{
"lang": "es",
"value": "Vulnerabilidad XSS en json/encoding.rb en Active Support en Ruby on Rails en las versiones 3.x, 4.1.x anterior a 4.1.11 y 4.2 anterior a 4.2.2, permite a atacantes remotos inyectar c\u00f3digo arbitrario HTML o web script a trav\u00e9s de un Hash manipulado que no es manejado correctamente durante la codificaci\u00f3n JSON."
}
],
"id": "CVE-2015-3226",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-07-26T22:59:05.133",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/75231"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1033755"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2015/06/16/17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/75231"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1033755"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-03-13 10:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en actionpack/lib/action_view/helpers/form_options_helper.rb en \"select helper\" de Ruby on Rails 3.0.x anteriores a 3.0.12, 3.1.x anteriores a 3.1.4, y 3.2.x anteriores a 3.2.2 permite a atacantes remotos inyectar codigo de script web o c\u00f3digo HTML de su elecci\u00f3n a trav\u00e9s de vectores que involucran la generaci\u00f3n de elementos OPTION dentro de elementos SELECT."
}
],
"id": "CVE-2012-1099",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-03-13T10:55:01.260",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2012/dsa-2466"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/03/02/6"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/03/03/1"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=799276"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2012/dsa-2466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/03/02/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/03/03/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=799276"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-18 13:15
Modified
2024-11-21 05:50
Severity ?
Summary
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8AB5441B-36FB-4F96-B958-E36F4A15E510",
"versionEndExcluding": "6.0.4.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D495715-8C1F-4734-AA73-A6F82E181AF2",
"versionEndExcluding": "6.1.4.1",
"versionStartIncluding": "6.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A possible open redirect vulnerability in the Host Authorization middleware in Action Pack \u003e= 6.0.0 that could allow attackers to redirect users to a malicious website."
},
{
"lang": "es",
"value": "Se presenta una posible vulnerabilidad de redireccionamiento abierto en el middleware Host Authorization de Action Pack versiones posteriores a 6.0.0 incluy\u00e9ndola, que podr\u00eda permitir a atacantes redirigir a usuarios a un sitio web malicioso"
}
],
"id": "CVE-2021-22942",
"lastModified": "2024-11-21T05:50:59.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-18T13:15:09.323",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/5"
},
{
"source": "support@hackerone.com",
"url": "https://security.netapp.com/advisory/ntap-20240202-0005/"
},
{
"source": "support@hackerone.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/"
},
{
"source": "support@hackerone.com",
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240202-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5372"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-02-14 21:00
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 2.0.0 | |
| rubyonrails | rails | 2.0.0 | |
| rubyonrails | rails | 2.0.0 | |
| rubyonrails | rails | 2.0.1 | |
| rubyonrails | rails | 2.0.2 | |
| rubyonrails | rails | 2.0.4 | |
| rubyonrails | rails | 2.1.0 | |
| rubyonrails | rails | 2.1.1 | |
| rubyonrails | rails | 2.1.2 | |
| rubyonrails | rails | 2.2.0 | |
| rubyonrails | rails | 2.2.1 | |
| rubyonrails | rails | 2.2.2 | |
| rubyonrails | rails | 2.3.2 | |
| rubyonrails | rails | 2.3.3 | |
| rubyonrails | rails | 2.3.4 | |
| rubyonrails | rails | 2.3.9 | |
| rubyonrails | rails | 2.3.10 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.3 | |
| rubyonrails | rails | 3.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en la ayuda mail_to en Ruby on Rails en versiones anteriores a v2.3.11, y v3.x anterior a v3.0.4, cuando se usa la codificaci\u00f3n Javascript permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro manipulado a (1) nombre y (2)email .\r\n"
}
],
"id": "CVE-2011-0446",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-02-14T21:00:03.007",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source\u0026output=gplain"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/43274"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/43666"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2011/dsa-2247"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/46291"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1025064"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2011/0587"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2011/0877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2247"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/46291"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1025064"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0877"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-08-14 21:04
Modified
2025-04-03 01:03
Severity ?
Summary
Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 1.1.0 | |
| rubyonrails | rails | 1.1.1 | |
| rubyonrails | rails | 1.1.2 | |
| rubyonrails | rails | 1.1.3 | |
| rubyonrails | rails | 1.1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the \"dependency resolution mechanism\" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or \"data loss,\" a different vulnerability than CVE-2006-4111."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en el \"mecanismo de resoluci\u00f3n de dependencias\" en Ruby on Rails 1.1.0 hasta 1.1.5 permite a un atacante remoto ejecutar c\u00f3digo Ruby de su elecci\u00f3n a trav\u00e9s de una URL que no es manejada correctamente en el c\u00f3digo de enrutamiento, lo cual lleva a una denegaci\u00f3n de servicio (aplicaci\u00f3n colgada) o \"perdida de datos\", una vulenrabilidad diferente que CVE-2006-4111."
}
],
"evaluatorSolution": "This vulnerability is addressed in the following product release:\r\nRuby on Rails, Ruby on Rails, 1.1.6",
"id": "CVE-2006-4112",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-08-14T21:04:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21424"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21466"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21749"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1016673"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/699540"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2006_21_sr.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/442934/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/19454"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28364"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21424"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/21749"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1016673"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/699540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2006_21_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/442934/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/19454"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28364"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2025-04-12 10:46
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | 5.0.0 | |
| opensuse | leap | 42.1 | |
| opensuse | opensuse | 13.2 | |
| suse | linux_enterprise_module_for_containers | 12 | |
| debian | debian_linux | 8.0 | |
| redhat | software_collections | 1.0 |
{
"cisaActionDue": "2022-04-15",
"cisaExploitAdd": "2022-03-25",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Ruby on Rails Directory Traversal Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E62190CB-5109-46AA-B58C-B3A11667A0AD",
"versionEndExcluding": "3.2.22.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65BD90F9-5A0C-4A1F-AB48-30FC68A3329F",
"versionEndExcluding": "4.1.14.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B405A97A-7C41-4005-8E72-56F632D72B9E",
"versionEndExcluding": "4.2.5.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:linux_enterprise_module_for_containers:12:*:*:*:*:*:*:*",
"matchCriteriaId": "E9772014-5321-4AB8-9525-A94797C993B2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D7EE4B6-A6EC-4B9B-91DF-79615796673F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en Action View en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 permite a atacantes remotos leer archivos arbitrarios aprovechando el uso no restringido del m\u00e9todo render en una aplicaci\u00f3n y proporcionando un .. (punto punto) en un nombre de ruta."
}
],
"id": "CVE-2016-0752",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2016-02-16T02:59:06.783",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Permissions Required"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Permissions Required"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/81801"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40561/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/81801"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40561/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-07-26 22:59
Modified
2025-04-12 10:46
Severity ?
Summary
The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| opensuse | opensuse | 13.1 | |
| opensuse | opensuse | 13.2 | |
| rubyonrails | rails | 4.1.0 | |
| rubyonrails | rails | 4.1.1 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.3 | |
| rubyonrails | rails | 4.1.4 | |
| rubyonrails | rails | 4.1.5 | |
| rubyonrails | rails | 4.1.6 | |
| rubyonrails | rails | 4.1.7 | |
| rubyonrails | rails | 4.1.8 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B7A927B-7E18-44B5-9307-E602790F8AB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth."
},
{
"lang": "es",
"value": "Vulnerabilidad en los componentes (1) jdom.rb y (2) rexml.rb en Active Support en Ruby on Rails en versiones anteriores a 4.1.11 y 4.2.x anteriores a 4.2.2, cuando JDOM o REXML est\u00e1 activado, permite a atacantes remotos causar una denegaci\u00f3n de servicio (SystemStackError) a trav\u00e9s de un documento XML de gran tama\u00f1o."
}
],
"id": "CVE-2015-3227",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-07-26T22:59:06.070",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html"
},
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2015/06/16/16"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/75234"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1033755"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2015/06/16/16"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/75234"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1033755"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-11-21 12:00
Modified
2025-04-09 00:30
Severity ?
Summary
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA2DB681-506C-40ED-9259-AFD733F6273A",
"versionEndIncluding": "2.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n CRLF en Ruby on Rails anteriores a v2.0.5, permite a atacantes remotos inyectar cabeceras HTTP de su elecci\u00f3n y llevar a cabo ataques de divisi\u00f3n de respuesta HTTP mediante una URL manipulada a la funci\u00f3n redirect_to."
}
],
"id": "CVE-2008-5189",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-11-21T12:00:00.187",
"references": [
{
"source": "cve@mitre.org",
"url": "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing"
},
{
"source": "cve@mitre.org",
"url": "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/32359"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/32359"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-09-30 17:22
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CE42D86-A8FE-493F-9AB6-4E032E9294FF",
"versionEndIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer."
},
{
"lang": "es",
"value": "\"M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en Ruby on Rails anterior a versi\u00f3n 2.1.1, permiten a los atacantes remotos ejecutar comandos SQL arbitrarios por medio de los par\u00e1metros (1): limit y (2): offset, relacionados con ActiveRecord, ActiveSupport, ActiveResource, ActionPack y ActionMailer."
}
],
"id": "CVE-2008-4094",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-09-30T17:22:09.147",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
},
{
"source": "cve@mitre.org",
"url": "http://gist.github.com/8946"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31875"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31909"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31910"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/31176"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1020871"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/2562"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://gist.github.com/8946"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://rails.lighthouseapp.com/projects/8994/tickets/288"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://rails.lighthouseapp.com/projects/8994/tickets/964"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31875"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31909"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31910"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/13/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/16/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31176"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1020871"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/2562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45109"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-11-18 23:59
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6646610D-279B-4AEC-B445-981E7784EE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
"matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
"matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*",
"matchCriteriaId": "A499584B-6E2E-42F3-B0CE-DA7BDD732897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*",
"matchCriteriaId": "69702127-AB96-4FE0-9AC4-FBE7B8CA77E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.20:*:*:*:*:*:*:*",
"matchCriteriaId": "48D71F7B-CF93-41D4-A824-51CB11F08692",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \\ (backslash) character, a similar issue to CVE-2014-7818."
},
{
"lang": "es",
"value": "Una vulnerabilidad de salto de directorio en actionpack/lib/action_dispatch/middleware/static.rb en el Action Pack de Ruby on Rails 3.x anterior a 3.2.21, 4.0.x anterior a 4.0.12, 4.1.x anterior a 4.1.8, y 4.2.x anterior a 4.2.0.beta4, cuando serve_static_assets est\u00e1 activado, permite a atacantes remotos determinar la existencia de ficheros fuera de la aplicaci\u00f3n root a trav\u00e9s de vectores que implican un car\u00e1cter \\ (barra invertida), un problema similar al CVE-2014-7818."
}
],
"id": "CVE-2014-7829",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-18T23:59:03.427",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/71183"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2014-7829"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/71183"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2014-7829"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-09 20:15
Modified
2024-11-21 07:45
Severity ?
Summary
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| ruby-lang | ruby | * | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A4B1AF3-B872-4699-9EFF-BD9B9822B5D7",
"versionEndExcluding": "6.1.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA4E147-AAD7-4EA9-BB6B-8358610FEE9A",
"versionEndExcluding": "7.0.4.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F841AE5D-60DD-4E3A-854A-9B7B906BF7E7",
"versionEndExcluding": "3.2.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately."
}
],
"id": "CVE-2023-22795",
"lastModified": "2024-11-21T07:45:26.440",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-09T20:15:11.420",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"source": "support@hackerone.com",
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-10-17 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| opensuse | opensuse | 12.2 | |
| opensuse | opensuse | 12.3 | |
| opensuse | opensuse | 13.1 | |
| debian | debian_linux | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "393CE9B0-AD9B-4A51-AC58-CF10BF115251",
"versionEndExcluding": "3.2.15",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D806A17E-B8F9-466D-807D-3F1E77603DC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidadews de format string en archivos log_subscriber.rb en el componente de suscripci\u00f3n de log de Action Mailer en Ruby on Rails 3.x anterior a 3.2.15 permite a atacantes remotos causar una denegaci\u00f3n de servicio a trav\u00e9s de una direcci\u00f3n de email manipulada que es manejada de manera inapropiada durante la construcci\u00f3n de un mensaje de log."
}
],
"id": "CVE-2013-4389",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-17T00:55:03.320",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2887"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Exploit"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2887"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Exploit"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-134"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-06-22 14:55
Modified
2025-04-11 00:51
Severity ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F046DC2-971A-46E6-A61B-AD39B954D634",
"versionEndIncluding": "3.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"[\u0027xyz\u0027, nil]\" values, a related issue to CVE-2012-2660."
},
{
"lang": "es",
"value": "actionpack/lib/action_dispatch/http/request.rb en Ruby on Rails antes de la version v3.0.14, en la v3.1.x antes de v3.1.6 y v3.2.x antes de v 3.2.6 no considera adecuadamente las diferencias en el manejo de par\u00e1metros entre el componente Active Record y la interfaz Rack, lo que permite a atacantes remotos evitar las restricciones de consulta de bases de datos y realizar comprobaciones de nulos a trav\u00e9s de solicitudes hechas a mano, por ejemplo con los valores \"[\u0027xyz\u0027, nil]\". Es un problema relacionado con el CVE-2012-2660."
}
],
"id": "CVE-2012-2694",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-06-22T14:55:01.097",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-27 16:15
Modified
2025-02-14 16:22
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| ruby-lang | ruby | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F37CC5DE-B363-478B-B8F2-393412E05802",
"versionEndExcluding": "7.1.3.1",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F841AE5D-60DD-4E3A-854A-9B7B906BF7E7",
"versionEndExcluding": "3.2.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected."
},
{
"lang": "es",
"value": "Rails es un framework de aplicaci\u00f3n web. A partir de la versi\u00f3n 7.1.0, existe una posible vulnerabilidad ReDoS en las rutinas de an\u00e1lisis del encabezado Aceptar de Action Dispatch. Esta vulnerabilidad est\u00e1 parcheada en 7.1.3.1. Ruby 3.2 tiene mitigaciones para este problema, por lo que las aplicaciones Rails que usan Ruby 3.2 o posterior no se ven afectadas."
}
],
"id": "CVE-2024-26142",
"lastModified": "2025-02-14T16:22:23.763",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-27T16:15:46.600",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240503-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240503-0003/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application\u0027s use of a wildcard controller route."
},
{
"lang": "es",
"value": "actionpack/lib/action_dispatch/routing/route_set.rb en Action Pack en Ruby on Rails 4.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 permite a atacantes remotos causar una denegaci\u00f3n de servicio (almacenamiento en cach\u00e9 superfluo y consumo de memoria) aprovechando el uso de una ruta de controlador comod\u00edn por una aplicaci\u00f3n."
}
],
"id": "CVE-2015-7581",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:04.877",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/16"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/81677"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/16"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/81677"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-12-07 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*",
"matchCriteriaId": "1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF",
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en el ayudante simple_format en actionpack/lib/action_view/helpers/text_helper.rb de Ruby on Rails 4.x anterior a la versi\u00f3n 4.0.2 permite a atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s de un atributo HTML manipulado."
}
],
"id": "CVE-2013-6416",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-12-07T00:55:03.740",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/64071"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/64071"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-12-07 17:30
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "195F4692-EB88-40A4-AEF5-0F81CC41CFE3",
"versionEndIncluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Ruby on Rails anterior v2.2.s, y v2.3.x anterior v2.3.5, permite a atacantes remotos inyectar c\u00f3digo Web o HTML a su lecci\u00f3n a trav\u00e9s de vectores que incluyen caracteres ASCII no imprimibles, relacionado con HTML::Tokenizer y actionpack/lib/action_controller/vendor/html-scanner/html/node.rb."
}
],
"id": "CVE-2009-4214",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-12-07T17:30:00.217",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5"
},
{
"source": "cve@mitre.org",
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"
},
{
"source": "cve@mitre.org",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37446"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38915"
},
{
"source": "cve@mitre.org",
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "cve@mitre.org",
"url": "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2011/dsa-2260"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2009/11/27/2"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2009/12/08/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/37142"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1023245"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3352"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37446"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38915"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2260"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2009/11/27/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2009/12/08/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/37142"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1023245"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3352"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-08 18:30
Modified
2025-04-09 00:30
Severity ?
Summary
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 2.1.0 | |
| rubyonrails | rails | 2.1.1 | |
| rubyonrails | rails | 2.1.2 | |
| rubyonrails | rails | 2.2.0 | |
| rubyonrails | rails | 2.2.1 | |
| rubyonrails | rails | 2.2.2 | |
| rubyonrails | rails | 2.3.2 | |
| rubyonrails | rails | 2.3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts."
},
{
"lang": "es",
"value": "Un determinado algoritmo de Ruby on Rails v2.1.0 hasta v2.2.2 y v2.3.x antes de v2.3.4, filtra informaci\u00f3n de la complejidad de la verificaci\u00f3n de firmas Hash en el almacen de cookies, lo que podr\u00eda permitir crear una firma Hash a atacantes remotos a trav\u00e9s de m\u00faltiples intentos."
}
],
"id": "CVE-2009-3086",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-08T18:30:00.453",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/36600"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2011/dsa-2260"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/37427"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/36600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2260"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/37427"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2544"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-06-22 14:55
Modified
2025-04-11 00:51
Severity ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2694."
},
{
"lang": "es",
"value": "actionpack/lib/action_dispatch/http/request.rb en Ruby on Rails antes de v3.0.13, v3.1.x antes de v3.1.5 y v3.2.x antes de v3.2.4 no tienen debidamente en cuenta las diferencias en el manejo de par\u00e1metros entre el componente Active Record y la interfaz Rack, lo que permite a atacantes remotos evitar las restricciones de consulta de bases de datos y realizar comprobaciones de nulos a trav\u00e9s de una solicitud hecha a mano, por ejemplo con valores \"[nil]\". Se trata de un problema relacionado con el CVE-2012-2694."
}
],
"id": "CVE-2012-2660",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-06-22T14:55:01.020",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-11-16 17:59
Modified
2025-04-12 10:46
Severity ?
Summary
The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 1.9.3 | |
| rubyonrails | rails | 2.0.0 | |
| rubyonrails | rails | 2.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "164A3546-832A-4466-ADFE-EEE787136199",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string."
},
{
"lang": "es",
"value": "La funci\u00f3n str_buf_cat en string.c en Ruby 1.9.3, 2.0.0, y 2.1 permite a atacantes dependientes del contexto, provocar una denegaci\u00f3n de servicio (fallo de segmentaci\u00f3n y ca\u00edda) mediante una larga cadena de texto."
}
],
"id": "CVE-2014-3916",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-16T17:59:04.253",
"references": [
{
"source": "cve@mitre.org",
"url": "http://seclists.org/oss-sec/2014/q2/362"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/oss-sec/2014/q2/375"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/67705"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.ruby-lang.org/issues/9709"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/93505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2014/q2/362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2014/q2/375"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/67705"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.ruby-lang.org/issues/9709"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/93505"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-19"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
"matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
"matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "C3AF00C3-93D9-4284-BCB9-40E42CB8386E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C068362-0D49-4117-BC96-780AA802CE4E",
"versionEndIncluding": "3.2.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."
},
{
"lang": "es",
"value": "El m\u00e9todo http_basic_authenticate_with en actionpack/lib/action_controller/metal/http_authentication.rb en la implementaci\u00f3n Basic Authentication en Action Controller en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no usa el algoritmo de tiempo constante para verificar credenciales, lo que hace que sea m\u00e1s f\u00e1cil para atacantes remotos eludir la autenticaci\u00f3n mediante la medici\u00f3n de las diferencias de temporizaci\u00f3n."
}
],
"id": "CVE-2015-7576",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:00.110",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/81803"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/81803"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-254"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-11-30 19:29
Modified
2024-11-21 03:52
Severity ?
Summary
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://access.redhat.com/errata/RHSA-2019:0600 | Third Party Advisory | |
| support@hackerone.com | https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ | Exploit, Mailing List, Mitigation, Third Party Advisory | |
| support@hackerone.com | https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2019:0600 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ | Exploit, Mailing List, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| redhat | cloudforms | 4.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91E13D8E-83B0-4378-ABE8-C3D3E8620E91",
"versionEndExcluding": "4.2.11",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69CD5219-EC1C-472E-9972-185FE18F6551",
"versionEndExcluding": "5.0.7.1",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55306814-6369-428E-A528-C41963AECB2D",
"versionEndExcluding": "5.1.6.1",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23319E2C-3EFF-4360-86C4-2CCC08333588",
"versionEndExcluding": "5.2.1.1",
"versionStartIncluding": "5.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "67F7263F-113D-4BAE-B8CB-86A61531A2AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1."
},
{
"lang": "es",
"value": "Una vulnerabilidad del Control de acceso roto en las versiones de Trabajo activo\u003e = versi\u00f3n 4.2.0 permite a un atacante crear una entrada de usuario que puede hacer que el Trabajo activo lo deserialice con GlobalId y les d\u00e9 acceso a la informaci\u00f3n que no deber\u00edan tener. Esta vulnerabilidad se ha corregido en las versiones 4.2.11, 5.0.7.1, 5.1.6.1 y 5.2.1.1."
}
],
"id": "CVE-2018-16476",
"lastModified": "2024-11-21T03:52:49.880",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-30T19:29:00.220",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0600"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
},
{
"source": "support@hackerone.com",
"tags": [
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-09-07 19:28
Modified
2025-04-12 10:46
Severity ?
Summary
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.2 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5.1 | |
| rubyonrails | rails | 4.2.5.2 | |
| rubyonrails | rails | 4.2.6 | |
| rubyonrails | rails | 4.2.6 | |
| rubyonrails | rails | 4.2.7 | |
| rubyonrails | rails | 4.2.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "6A19315C-9A9D-45FE-81C8-074744825B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "392CF25B-8400-4185-863F-D6353B664FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "3037282A-863A-4C92-A40C-4D436D2621C1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155."
},
{
"lang": "es",
"value": "Action Record en Ruby en Rails 4.2.x en versiones anteriores a 4.2.7.1 no considera adecuadamente las diferencias en en el manejo de par\u00e1metros entre el componente Active Record y la implementaci\u00f3n de JSON, lo que permite a atacantes remotos eludir restricciones destinadas a la consulta de base de datos y realizar comprobaciones NULL o desencadenar clausulas perdidas WHERE a trav\u00e9s de un solicitud manipulada, como se demuestra por ciertos valores \"[nil]\", un problema relacionado con CVE-2012-2660, CVE-2012-2694 y CVE-2013-0155."
}
],
"id": "CVE-2016-6317",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-09-07T19:28:11.410",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes"
],
"url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/08/11/4"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/92434"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/WccgKSKiPZA"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/08/11/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/92434"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/WccgKSKiPZA"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-01-04 04:46
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53AE7CCA-1E57-4925-A025-F1BBFCE70272",
"versionEndIncluding": "3.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el componente Active Record en Ruby on Rails antes de v3.0.18, v3.1.x antes de v3.1.9, y v3.2.x antes de v3.2.10, permite a atacantes remotos ejecutar comandos SQL a trav\u00e9s de una solicitud modificada que aprovecha el comportamiento incorrecto de buscadores din\u00e1micos en aplicaciones que pueden utilizar los tipos de datos inesperados en ciertas llamadas al m\u00e9todo find_by_."
}
],
"id": "CVE-2012-6496",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-01-04T04:46:02.947",
"references": [
{
"source": "cve@mitre.org",
"url": "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0155.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0220.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0544.html"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-201401-22.xml"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/57084"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=889649"
},
{
"source": "cve@mitre.org",
"url": "https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0155.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0220.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0544.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-201401-22.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/57084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=889649"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 18:15
Modified
2025-05-09 20:15
Severity ?
Summary
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| opensuse | leap | 15.1 | |
| opensuse | leap | 15.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4357891D-A07C-4E1B-B540-92D6C477E7BB",
"versionEndExcluding": "5.2.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12B5617A-91AC-4B94-BE1A-057DBF322808",
"versionEndExcluding": "6.0.3.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A deserialization of untrusted data vulnernerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de deserializaci\u00f3n de datos no confiables en rails versiones anteriores a 5.2.4.3, rails versiones anteriores a 6.0.3.1, que puede permitir a un atacante desarmar los objetos proporcionados por el usuario en MemCacheStore y RedisCacheStore, lo que podr\u00eda generar un RCE"
}
],
"id": "CVE-2020-8165",
"lastModified": "2025-05-09T20:15:36.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T18:15:11.067",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/413388"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/413388"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20250509-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability."
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a \"filter skipping vulnerability.\""
},
{
"lang": "es",
"value": "La funcionalidad de selecci\u00f3n de plantilla en actionpack/lib/action_view/template/resolver.rb en Ruby sobre Rails 3.0.x anterior a v3.0.10 y v3.1.x anterior a v3.1.0.rc6 no maneja adecuadamente caracteres glob, lo que permite a atacantes remotos renderizar vistas de su elecci\u00f3n a trav\u00e9s de una URL manipulada, relacionada con una vulnerabilidad \"filter skipping\"."
}
],
"id": "CVE-2011-2929",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-08-29T18:55:01.393",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731432"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731432"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-02-20 15:27
Modified
2025-04-11 00:51
Severity ?
Summary
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*",
"matchCriteriaId": "C0406FF0-30F5-40E2-B9B8-FE465D923DE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6646610D-279B-4AEC-B445-981E7784EE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "005A14B0-1621-4A0C-A990-2B8B59C199B3",
"versionEndIncluding": "3.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "991F368C-CEB5-4DE6-A7EE-C341F358A4CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"matchCriteriaId": "01DB164E-E08E-4649-84BD-15B4159A3AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"matchCriteriaId": "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers."
},
{
"lang": "es",
"value": "actionpack/lib/action_view/template/text.rb en Action View en Ruby on Rails 3.x anterior a 3.2.17 convierte cadenas tipo MIME a s\u00edmbolos durante el uso de la opci\u00f3n :text al m\u00e9todo render, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de memoria) mediante la inclusi\u00f3n de estas cadenas en cabeceras."
}
],
"id": "CVE-2014-0082",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-02-20T15:27:09.170",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"
},
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2014/02/18/10"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0215.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0306.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57376"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57836"
},
{
"source": "secalert@redhat.com",
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2014-0082"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/02/18/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0215.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0306.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57376"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57836"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2014-0082"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 05:38
Severity ?
Summary
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ | Mailing List, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/789579 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://www.debian.org/security/2020/dsa-4766 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/789579 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2020/dsa-4766 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1FB41816-EA80-435F-AB30-076EE523E2A8",
"versionEndExcluding": "5.2.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12B5617A-91AC-4B94-BE1A-057DBF322808",
"versionEndExcluding": "6.0.3.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A client side enforcement of server side security vulnerability exists in rails \u003c 5.2.4.2 and rails \u003c 6.0.3.1 ActiveStorage\u0027s S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits."
},
{
"lang": "es",
"value": "Se presenta una aplicaci\u00f3n del lado del cliente de una vulnerabilidad de seguridad del lado del servidor en rails versiones anteriores a 5.2.4.2 y rails versiones anteriores a 6.0.3.1 El adaptador S3 de ActiveStorage que permite a un usuario final modificar el Content-Length de una carga directa de archivos sin pasar por los l\u00edmites de carga"
}
],
"id": "CVE-2020-8162",
"lastModified": "2024-11-21T05:38:24.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:18.583",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/789579"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/789579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-602"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-03-19 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C230384C-A52A-4167-A07D-0E06138EE246",
"versionEndIncluding": "2.3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a \u0026#x3a; sequence."
},
{
"lang": "es",
"value": "El sanitize helper en lib/action_controller/vendor/html-scanner/html/sanitizer.rb en el componente Action Pack en Ruby on Rails en versiones anteriores a 2.3.18, 3.0.x y 3.1.x en versiones anteriores a 3.1.12 y 3.2.x en versiones anteriores a 3.2.13 no maneja adecuadamente codificaci\u00f3n de caracteres : (dos puntos) en URLs, lo que hace que sea m\u00e1s f\u00e1cil para atacantes remotos llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) a trav\u00e9s de un nombre de esquema manipulado, seg\u00fan lo demostrado incluyendo una secuencia :."
}
],
"id": "CVE-2013-1857",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-03-19T22:55:01.087",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0698.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-02 19:15
Modified
2024-11-21 05:38
Severity ?
Summary
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B44DA337-EE0D-4D0D-91BC-DB1916079E67",
"versionEndExcluding": "5.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE."
},
{
"lang": "es",
"value": "Se trata de una vulnerabilidad de inyecci\u00f3n de c\u00f3digo en versiones de Rails anteriores a 5.0.1, que permitir\u00eda a un atacante que controlara el argumento \"locals\" de una llamada \"render\" para realizar un RCE"
}
],
"id": "CVE-2020-8163",
"lastModified": "2024-11-21T05:38:24.910",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-02T19:15:12.433",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0"
},
{
"source": "support@hackerone.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/304805"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/304805"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
"matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
"matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "C3AF00C3-93D9-4284-BCB9-40E42CB8386E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C068362-0D49-4117-BC96-780AA802CE4E",
"versionEndIncluding": "3.2.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature."
},
{
"lang": "es",
"value": "activerecord/lib/active_record/nested_attributes.rb en Active Record en Ruby on Rails 3.1.x y 3.2.x en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no implementa adecuadamente una cierta opci\u00f3n de destruir, lo que permite a atacantes remotos eludir restricciones destinadas al cambio mediante el aprovechamiento del uso de la funcionalidad de atributos anidados."
}
],
"id": "CVE-2015-7577",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:01.063",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/81806"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/81806"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-12-07 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38F53FB7-A292-4273-BFBE-E231235E845D",
"versionEndIncluding": "3.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "991F368C-CEB5-4DE6-A7EE-C341F358A4CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"matchCriteriaId": "01DB164E-E08E-4649-84BD-15B4159A3AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"matchCriteriaId": "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*",
"matchCriteriaId": "1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF",
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site scripting (XSS) en number_to_currency en actionpack/lib/action_view/helpers/number_helper.rb en Ruby on Rails anterior a v3.2.16 y v4.x anterior a v4.0.2 permite a atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s del par\u00e1metro \"unit\"."
}
],
"id": "CVE-2013-6415",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-12-07T00:55:03.710",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/56093"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/64077"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2013-6415"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/56093"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/64077"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2013-6415"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-01-13 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | ruby_on_rails | * | |
| rubyonrails | ruby_on_rails | * | |
| rubyonrails | ruby_on_rails | * | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF1D9248-14D7-4EA2-B416-D76FBA64E329",
"versionEndExcluding": "3.2.11",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B28BEC17-EF03-4790-ACB3-89F615269803",
"versionEndExcluding": "2.3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC513BC8-F945-46A9-A63F-22585232DAE8",
"versionEndExcluding": "3.0.19",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08C05EBE-B0D8-48F5-8C69-5801000189BA",
"versionEndExcluding": "3.1.10",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion."
},
{
"lang": "es",
"value": "active_support/core_ext/hash/conversions.rb en Ruby on Rails anterior a v2.3.15, v3.0.x anterior a v3.0.19, v3.1.x anterior a v3.1.10, y v3.2.x anterior a v3.2.11 no restringe adecuadamente el \"casting\" de las variables de tipo cadena, lo que permite a atacantes remotos llevar a cabo ataques de inyecci\u00f3n de objetos y la ejecuci\u00f3n de c\u00f3digo arbitrario o provocar una denegaci\u00f3n de servicio (consumo de memoria y CPU) involucrando a referencias de entidades XML anidadas, aprovechando el soporte de Action Pack para lso tipos de conversion (1) YAML o (2) Symbol."
}
],
"id": "CVE-2013-0156",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-01-13T22:55:00.947",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0153.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0155.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2013/dsa-2604"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.insinuator.net/2013/01/rails-yaml/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/380039"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://puppet.com/security/cve/cve-2013-0156"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0153.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0155.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2013/dsa-2604"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.insinuator.net/2013/01/rails-yaml/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/380039"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/628463"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://puppet.com/security/cve/cve-2013-0156"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-27 14:29
Modified
2024-11-21 04:44
Severity ?
Summary
A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | 6.0.0 | |
| rubyonrails | rails | 6.0.0 | |
| debian | debian_linux | 8.0 | |
| fedoraproject | fedora | 30 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E0F04AF9-16F6-4E06-A273-1350DA7E42D4",
"versionEndExcluding": "5.2.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:6.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "A6484A59-C742-4ADC-B57F-3D51CEC351BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:6.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "64F85321-5D75-4E0F-820D-22F393BAAEBD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability in development mode Rails \u003c5.2.2.1, \u003c6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en el modo de desarrollo de Rails, en versiones anteriores a la 5.2.2.1 y la 6.0.0.beta3, podr\u00eda permitir que un atacante adivine el token secreto del modo de desarrollo generado autom\u00e1ticamente. Este token secreto puede emplearse en combinaci\u00f3n con otros internals de Rails para escalar a un exploit de ejecuci\u00f3n remota de c\u00f3digo."
}
],
"id": "CVE-2019-5420",
"lastModified": "2024-11-21T04:44:54.150",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-27T14:29:01.720",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html"
},
{
"source": "support@hackerone.com",
"url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/IsQKvDqZdKw"
},
{
"source": "support@hackerone.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46785/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/IsQKvDqZdKw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46785/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | html_sanitizer | * | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.2 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5.1 | |
| rubyonrails | rails | 4.2.5.2 | |
| rubyonrails | rails | 4.2.6 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4CBB3D93-016A-43CA-9325-3F5D58DD4FD4",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
"matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de atributos de etiqueta manipulados."
}
],
"id": "CVE-2015-7578",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:02.047",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-07-07 11:01
Modified
2025-04-12 10:46
Severity ?
Summary
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.2 | |
| rubyonrails | rails | 4.0.3 | |
| rubyonrails | rails | 4.0.4 | |
| rubyonrails | rails | 4.0.5 | |
| rubyonrails | rails | 4.0.6 | |
| rubyonrails | rails | 4.0.6 | |
| rubyonrails | rails | 4.0.6 | |
| rubyonrails | rails | 4.0.6 | |
| rubyonrails | rails | 4.1.0 | |
| rubyonrails | rails | 4.1.0 | |
| rubyonrails | rails | 4.1.1 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb en el adaptador PostgreSQL para Active Record en Ruby on Rails 4.x anterior a 4.0.7 y 4.1.x anterior a 4.1.3 permite a atacantes remotos ejecutar comandos SQL arbitrarios mediante el aprovechamiento de el citado de rangos indebido."
}
],
"id": "CVE-2014-3483",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-07-07T11:01:30.573",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2014/07/02/5"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0877.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/59971"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/60214"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2014/dsa-2982"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/68341"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/07/02/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0877.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59971"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/60214"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2982"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/68341"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-11-28 11:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an \"html\" substring."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados en el m\u00e9todo de ayuda de las traducciones i18n en Ruby on Rails v3.0.x antes de v3.0.11 y v3.1.x antes de v3.1.2 y el complemento rails_xss en Ruby on Rails v2.3.x, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores relacionados con una cadena de traducciones cuyo nombre termina con la subcadena \"html\"."
}
],
"id": "CVE-2011-4319",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-11-28T11:55:09.127",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1"
},
{
"source": "secalert@redhat.com",
"url": "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2011/11/18/8"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/77199"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/50722"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1026342"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2011/11/18/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/77199"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/50722"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1026342"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-08 18:30
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 2.0.0 | |
| rubyonrails | rails | 2.0.0 | |
| rubyonrails | rails | 2.0.0 | |
| rubyonrails | rails | 2.0.1 | |
| rubyonrails | rails | 2.0.2 | |
| rubyonrails | rails | 2.0.4 | |
| rubyonrails | rails | 2.1.0 | |
| rubyonrails | rails | 2.1.1 | |
| rubyonrails | rails | 2.1.2 | |
| rubyonrails | rails | 2.2.0 | |
| rubyonrails | rails | 2.2.1 | |
| rubyonrails | rails | 2.2.2 | |
| rubyonrails | rails | 2.3.2 | |
| rubyonrails | rails | 2.3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n secuencias de comandos en sitios cruzados (XSS) en Roby en Rails v2.x anterior 2.2.3, y v2.3.x anterior v2.3.4, permite a atacantes remotos inyectar c\u00f3digo web o HTML a su elecci\u00f3n colocando cadenas malformadas Unicode en un formulario de ayuda."
}
],
"id": "CVE-2009-3009",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-09-08T18:30:00.327",
"references": [
{
"source": "cve@mitre.org",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source"
},
{
"source": "cve@mitre.org",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36600"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36717"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://securitytracker.com/id?1022824"
},
{
"source": "cve@mitre.org",
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "cve@mitre.org",
"url": "http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2009/dsa-1887"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/57666"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/36278"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2544"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53036"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36717"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://securitytracker.com/id?1022824"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2009/dsa-1887"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/57666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/36278"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53036"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-27 14:29
Modified
2025-07-09 15:23
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 8.0 | |
| redhat | cloudforms | 4.7 | |
| opensuse | leap | 15.0 | |
| fedoraproject | fedora | 30 | |
| redhat | cloudforms | 4.6 | |
| redhat | software_collections | 1.0 |
{
"cisaActionDue": "2025-07-28",
"cisaExploitAdd": "2025-07-07",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Rails Ruby on Rails Path Traversal Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A096CE2-193C-4132-B48D-12122D60FA07",
"versionEndExcluding": "4.2.11.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DCD16B7-B3E7-4EE4-B8B1-B25FBE75EFFF",
"versionEndExcluding": "5.0.7.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0BA3C0-E2A4-4FE1-B443-308B7EFA32F2",
"versionEndExcluding": "5.1.6.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F248A4DE-4B0C-4E4C-AB38-C08F90B197F8",
"versionEndExcluding": "5.2.2.1",
"versionStartIncluding": "5.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "04AC556D-D511-4C4C-B9FB-A089BB2FEFD5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "67F7263F-113D-4BAE-B8CB-86A61531A2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D7EE4B6-A6EC-4B9B-91DF-79615796673F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a File Content Disclosure vulnerability in Action View \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system\u0027s filesystem to be exposed."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Divulgaci\u00f3n del contenido del archivo en la Vista de acci\u00f3n versi\u00f3n anterior a .2.2.1, versi\u00f3n anterior a 1.6.2, versi\u00f3n anterior a 5.0.7.2, versi\u00f3n anterior a 4.2.11.1 y v3, donde los encabezados de aceptaci\u00f3n especialmente dise\u00f1ados pueden exponer el contenido de archivos arbitrarios en el sistema de archivos del sistema de destino. ."
}
],
"id": "CVE-2019-5418",
"lastModified": "2025-07-09T15:23:23.357",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2019-03-27T14:29:01.533",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0796"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1147"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1149"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1289"
},
{
"source": "support@hackerone.com",
"tags": [
"Permissions Required"
],
"url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory",
"Broken Link"
],
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46585/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0796"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1147"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1289"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory",
"Broken Link"
],
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46585/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-02-13 01:55
Modified
2025-04-11 00:51
Severity ?
Summary
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request."
},
{
"lang": "es",
"value": "ActiveRecord en Ruby on Rails v3.2.x anteriores a v3.2.12, v3.1.x anteriores a v3.1.11, y v2.3.x anteriores a v2.3.17 permite a atacantes remotos evitar el mecanismo de protecci\u00f3n \"attr_protected\" y modificar el modelo de atributos protegidos a trav\u00e9s de una petici\u00f3n hecha a mano."
}
],
"id": "CVE-2013-0276",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-02-13T01:55:05.167",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/52112"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/52774"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2013/dsa-2620"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/5"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/90072"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/57896"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/bb44b98a73ef1a06?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/52112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/52774"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2013/dsa-2620"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/90072"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/57896"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/bb44b98a73ef1a06?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-03-19 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.17:*:*:*:*:*:*:*",
"matchCriteriaId": "B144F6C7-865D-4AD9-92F9-0D65AB3183DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method."
},
{
"lang": "es",
"value": "El componente Active Record en Ruby on Rails v2.3.x anterior a v2.3.18, v3.1.x anterior a v3.1.12, y v3.2.x anterior a v3.2.13, procesa determinadas consultas mediante la conversi\u00f3n de los hash de las claves a s\u00edmbolos, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio a trav\u00e9s de una entrada manipulada al m\u00e9todo \"where\"."
}
],
"id": "CVE-2013-1854",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-03-19T22:55:01.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0699.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0699.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-01-13 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | ruby_on_rails | * | |
| rubyonrails | ruby_on_rails | * | |
| debian | debian_linux | 6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF1D9248-14D7-4EA2-B416-D76FBA64E329",
"versionEndExcluding": "3.2.11",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC513BC8-F945-46A9-A63F-22585232DAE8",
"versionEndExcluding": "3.0.19",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08C05EBE-B0D8-48F5-8C69-5801000189BA",
"versionEndExcluding": "3.1.10",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2660 and CVE-2012-2694."
},
{
"lang": "es",
"value": "Ruby on Rails v3.0.x anteior a v3.0.19, v3.1.x anteior a v3.1.10, y v3.2.x anteior a v3.2.11 no considera adecuadamente las diferencias en el manejo de par\u00e1metros entre el componente Active Record y la implementaci\u00f3n JSON, lo que permite a atacantes remotos evitar las restricciones de peticiones a base de datos y realizar chequeos NULL o provocar un WHERE a trav\u00e9s de una consulta manipulada. Como se ha demostrado mdiante determinados valires \"[nil]\". Relacionado con los CVE-2012-2660 y CVE-2012-2694."
}
],
"id": "CVE-2013-0155",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-01-13T22:55:00.900",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0155.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2013/dsa-2609"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://puppet.com/security/cve/cve-2013-0155"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0155.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2013/dsa-2609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://puppet.com/security/cve/cve-2013-0155"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | 5.0.0 | |
| debian | debian_linux | 8.0 | |
| fedoraproject | fedora | 22 | |
| fedoraproject | fedora | 23 | |
| opensuse | leap | 42.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "368EF708-1502-4DC8-9374-724A6BF565DE",
"versionEndExcluding": "4.1.14.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B405A97A-7C41-4005-8E72-56F632D72B9E",
"versionEndExcluding": "4.2.5.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
"matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters."
},
{
"lang": "es",
"value": "Active Model en Ruby on Rails 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 soporta el uso de los escritores a nivel de instancia para descriptores de acceso de clase, lo que permite a atacantes remotos eludir los pasos destinados a la validaci\u00f3n a trav\u00e9s de par\u00e1metros manipulados."
}
],
"id": "CVE-2016-0753",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:07.690",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/82247"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/82247"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-02-20 15:27
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.2 | |
| rubyonrails | rails | 4.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute \"add data\" SQL commands via vectors involving \\ (backslash) characters that are not properly handled in operations on array columns."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en activerecord/lib/active_record/connection_adapters/postgresql/cast.rb en Active Record en Ruby on Rails 4.0.x anterior a 4.0.3 y 4.1.0.beta1, cuando se utiliza PostgreSQL, permite a atacantes remotos ejecutar comandos SQL \"add data\" a trav\u00e9s de vectores involucrando caracteres \\ (barra invertida) que no est\u00e1n debidamente manejados en operaciones sobre columnas array."
}
],
"id": "CVE-2014-0080",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-02-20T15:27:02.750",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2014/02/18/9"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/02/18/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-11 22:15
Modified
2024-11-21 06:48
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puma | puma | * | |
| puma | puma | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 | |
| fedoraproject | fedora | 35 | |
| fedoraproject | fedora | 36 | |
| fedoraproject | fedora | 37 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "F662913A-D835-400A-BE47-112269F1A880",
"versionEndExcluding": "4.3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "3221F00A-D4F8-43C2-90D0-98D38E5294B8",
"versionEndExcluding": "5.6.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "799C8F9A-10DD-4840-AAB5-F444DDA46FE2",
"versionEndExcluding": "5.2.6.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB7B860B-0F93-4C93-8C95-29D259A38C43",
"versionEndExcluding": "6.0.4.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8FC3F82-3521-470B-910E-395895BAB248",
"versionEndExcluding": "6.1.4.6",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC6C96FF-285D-4378-86FF-AFB70FC339A3",
"versionEndExcluding": "7.0.2.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
},
{
"lang": "es",
"value": "Puma es un servidor web Ruby/Rack construido para el paralelismo. versiones anteriores a \"puma\" \"5.6.2\", \"puma\" no siempre llamaba a \"close\" en el cuerpo de la respuesta. Rails, versiones anteriores a \"7.0.2.2\", depend\u00eda de que el cuerpo de la respuesta estuviera cerrado para que su implementaci\u00f3n de \"CurrentAttributes\" funcionara correctamente. La combinaci\u00f3n de estos dos comportamientos (que Puma no cierre el cuerpo + la implementaci\u00f3n del ejecutor de Rails) causa un filtrado de informaci\u00f3n. Este problema ha sido solucionado en Puma versiones 5.6.2 y 4.3.11. Este problema se ha solucionado en las versiones de Rails versiones 7.02.2, 6.1.4.6, 6.0.4.6 y 5.2.6.2. La actualizaci\u00f3n a una versi\u00f3n parcheada de Rails _o_ de Puma corrige esta vulnerabilidad"
}
],
"id": "CVE-2022-23634",
"lastModified": "2024-11-21T06:48:58.950",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-11T22:15:07.817",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Not Applicable",
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5146"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Not Applicable",
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5146"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-03-13 10:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Ruby on Rails 3.0.x anteriores a 3.0.12, 3.1.x anteriores a 3.1.4, y 3.2.x anterioes a 3.2.2 permite a atacantes remotos inyectar codigo de script web o c\u00f3digo HTML de su elecci\u00f3n a trav\u00e9s de vectores que involucran un objeto SafeBuffer que es manipulado a trav\u00e9s de determinados m\u00e9todos."
}
],
"id": "CVE-2012-1098",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-03-13T10:55:01.213",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/03/02/6"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/03/03/1"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=799275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/03/02/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/03/03/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=799275"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-16 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | html_sanitizer | * | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.0 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.1 | |
| rubyonrails | rails | 4.2.2 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.3 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.4 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5 | |
| rubyonrails | rails | 4.2.5.1 | |
| rubyonrails | rails | 4.2.5.2 | |
| rubyonrails | rails | 4.2.6 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 | |
| rubyonrails | rails | 5.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4CBB3D93-016A-43CA-9325-3F5D58DD4FD4",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
"matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS in la gema rails-html-sanitizer 1.0.2 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de una entidad HTML que no es manejada adecuadamente por la clase Rails::Html::FullSanitizer."
}
],
"id": "CVE-2015-7579",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-16T02:59:03.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-05-07 10:55
Modified
2025-04-12 10:46
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf | Broken Link, Technical Description | |
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2014-1863.html | Third Party Advisory | |
| secalert@redhat.com | http://www.securityfocus.com/bid/67244 | Broken Link, Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ | Broken Link, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf | Broken Link, Technical Description | |
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2014-1863.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/67244 | Broken Link, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ | Broken Link, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | subscription_asset_manager | * | |
| redhat | enterprise_linux_server | 6.0 | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * |
{
"cisaActionDue": "2022-04-15",
"cisaExploitAdd": "2022-03-25",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Ruby on Rails Directory Traversal Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:subscription_asset_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C16B5251-FF39-4CB3-820E-0796B70BAD5A",
"versionEndIncluding": "1.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5235B876-7782-42AB-8F24-79459C17AB85",
"versionEndExcluding": "3.2.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF8059E5-5473-4467-B8D5-212B17F5D198",
"versionEndExcluding": "4.0.5",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA450AD-4238-4E43-AD22-4E5586FCCB11",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en actionpack/lib/abstract_controller/base.rb en la implementaci\u00f3n implicit-render en Ruby on Rails anterior a 3.2.18, 4.0.x anterior a 4.0.5 y 4.1.x anterior a 4.1.1, cuando ciertas configuraciones de coincidencia de patrones en rutas basadas en caracteres comod\u00edn (globbing) est\u00e1n habilitadas, permite a atacantes remotos leer archivos arbitrarios a trav\u00e9s de una solicitud manipulada."
}
],
"id": "CVE-2014-0130",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2014-05-07T10:55:04.133",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Technical Description"
],
"url": "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/67244"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Technical Description"
],
"url": "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/67244"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-02 19:15
Modified
2024-11-21 05:38
Severity ?
Summary
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw | Mailing List, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/732415 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://www.debian.org/security/2020/dsa-4766 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/732415 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2020/dsa-4766 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4357891D-A07C-4E1B-B540-92D6C477E7BB",
"versionEndExcluding": "5.2.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12B5617A-91AC-4B94-BE1A-057DBF322808",
"versionEndExcluding": "6.0.3.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CSRF forgery vulnerability exists in rails \u003c 5.2.5, rails \u003c 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de falsificaci\u00f3n CSRF en rails versiones anteriores a 5.2.5, rails versiones anteriores a 6.0.4 que hace posible para un atacante, dado un token CSRF global como el presente en la etiqueta meta de authenticity_token, forjar un token CSRF per-form"
}
],
"id": "CVE-2020-8166",
"lastModified": "2024-11-21T05:38:25.277",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-02T19:15:12.513",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/732415"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/732415"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-27 14:29
Modified
2024-11-21 04:44
Severity ?
Summary
There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 8.0 | |
| redhat | cloudforms | 4.6 | |
| redhat | cloudforms | 4.7 | |
| redhat | software_collections | 1.0 | |
| opensuse | leap | 15.0 | |
| opensuse | leap | 15.1 | |
| fedoraproject | fedora | 30 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF9998D1-8C7B-4402-930B-C370824D46AA",
"versionEndExcluding": "4.2.11.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DCD16B7-B3E7-4EE4-B8B1-B25FBE75EFFF",
"versionEndExcluding": "5.0.7.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0BA3C0-E2A4-4FE1-B443-308B7EFA32F2",
"versionEndExcluding": "5.1.6.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F248A4DE-4B0C-4E4C-AB38-C08F90B197F8",
"versionEndExcluding": "5.2.2.1",
"versionStartIncluding": "5.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "67F7263F-113D-4BAE-B8CB-86A61531A2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "04AC556D-D511-4C4C-B9FB-A089BB2FEFD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D7EE4B6-A6EC-4B9B-91DF-79615796673F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive."
},
{
"lang": "es",
"value": "Hay una posible vulnerabilidad de denegaci\u00f3n de servicio (DoS) en la vista de acci\u00f3n en Rails, en versiones anteriores a las 5.2.2.1, 5.1.6.2, 5.0.7.2 y 4.2.11.1 donde las cabeceras de aceptaci\u00f3n especialmente manipuladas pueden provocar que dicha vista consuma el 100 % de la CPU y haga que el servidor deje de responder."
}
],
"id": "CVE-2019-5419",
"lastModified": "2024-11-21T04:44:54.017",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-27T14:29:01.657",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0796"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1147"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1149"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1289"
},
{
"source": "support@hackerone.com",
"url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
},
{
"source": "support@hackerone.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0796"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1147"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1289"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-04-07 23:59
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
"matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
"matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBD4FBDC-F05B-4CDD-8928-7122397A7651",
"versionEndIncluding": "3.2.22.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto directorio en Action View en Ruby on Rails en versiones anteriores a 3.2.22.2 y 4.x en versiones anteriores a 4.1.14.2 permite a atacantes remotos leer archivos arbitrarios aprovechando el uso no restringido del m\u00e9todo render de una aplicaci\u00f3n y proporcionando un .. (punto punto) en un nombre de ruta. NOTA: esta vulnerabilidad existe por una soluci\u00f3n incompleta para CVE-2016-0752."
}
],
"id": "CVE-2016-2097",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-04-07T23:59:05.800",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3509"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/83726"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1035122"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3509"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/83726"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1035122"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-02-20 15:27
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*",
"matchCriteriaId": "C0406FF0-30F5-40E2-B9B8-FE465D923DE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6646610D-279B-4AEC-B445-981E7784EE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "005A14B0-1621-4A0C-A990-2B8B59C199B3",
"versionEndIncluding": "3.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "991F368C-CEB5-4DE6-A7EE-C341F358A4CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"matchCriteriaId": "01DB164E-E08E-4649-84BD-15B4159A3AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"matchCriteriaId": "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse_project:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B91DE6A-D759-4B2C-982B-AF036B43798D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:cloudforms:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E497C765-C720-4566-BB73-705C36AEA59A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en actionview/lib/action_view/helpers/number_helper.rb en Ruby on Rails anterior a 3.2.17, 4.0.x anterior a 4.0.3 y 4.1.x anterior a 4.1.0.beta2 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s del par\u00e1metro (1) format, (2) negative_format, o (3) units hacia la ayuda de (a) number_to_currency, (b) number_to_percentage, o (c) number_to_human."
}
],
"id": "CVE-2014-0081",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-02-20T15:27:09.140",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2014/02/18/8"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0215.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0306.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Permissions Required"
],
"url": "http://secunia.com/advisories/57376"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/65647"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1029782"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2014/02/18/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0215.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0306.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "http://secunia.com/advisories/57376"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/65647"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1029782"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-29 16:29
Modified
2025-04-20 01:37
Severity ?
Summary
SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7808D558-05FB-404B-8E69-40EFE66BC057",
"versionEndIncluding": "5.1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the \u0027find_by\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027name\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input"
},
{
"lang": "es",
"value": "** EN DISPUTA** Vulnerabilidad de inyecci\u00f3n SQL en el m\u00e9todo \"find_by\" en Ruby on Rails 5.1.4 y anteriores permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el par\u00e1metro \"name\". NOTA: El fabricante rechaza este problema porque la documentaci\u00f3n indica que este m\u00e9todo no est\u00e1 destinado a utilizarse con datos de entrada no fiables."
}
],
"id": "CVE-2017-17916",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-29T16:29:00.217",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-08-20 11:17
Modified
2025-04-12 10:46
Severity ?
Summary
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.0 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.1 | |
| rubyonrails | rails | 4.0.2 | |
| rubyonrails | rails | 4.0.3 | |
| rubyonrails | rails | 4.0.4 | |
| rubyonrails | rails | 4.0.5 | |
| rubyonrails | rails | 4.0.6 | |
| rubyonrails | rails | 4.0.6 | |
| rubyonrails | rails | 4.0.6 | |
| rubyonrails | rails | 4.0.6 | |
| rubyonrails | rails | 4.0.7 | |
| rubyonrails | rails | 4.0.8 | |
| rubyonrails | rails | 4.1.0 | |
| rubyonrails | rails | 4.1.0 | |
| rubyonrails | rails | 4.1.1 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.2 | |
| rubyonrails | rails | 4.1.3 | |
| rubyonrails | rails | 4.1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls."
},
{
"lang": "es",
"value": "activerecord/lib/active_record/relation/query_methods.rb en Active Record en Ruby on Rails 4.0.x anterior a 4.0.9 y 4.1.x anterior a 4.1.5 permite a atacantes remotos evadir el mecanismo de protecci\u00f3n de par\u00e1metros fuertes a trav\u00e9s de entradas manipuladas en una aplicaci\u00f3n que realiza llamadas create_with."
}
],
"id": "CVE-2014-3514",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-08-20T11:17:14.483",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2014/08/18/10"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/60347"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/08/18/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/60347"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-07-07 11:01
Modified
2025-04-12 10:46
Severity ?
Summary
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.18:*:*:*:*:*:*:*",
"matchCriteriaId": "93E0C324-E7F4-4316-B078-BA13F69F10D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6646610D-279B-4AEC-B445-981E7784EE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
"matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
"matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*",
"matchCriteriaId": "A499584B-6E2E-42F3-B0CE-DA7BDD732897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:2.3.17:*:*:*:*:*:*:*",
"matchCriteriaId": "B144F6C7-865D-4AD9-92F9-0D65AB3183DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb en el adaptador PostgreSQL para Active Record en Ruby on Rails 2.x y 3.x anterior a 3.2.19 permite a atacantes remotos ejecutar comandos SQL arbitrarios mediante el aprovechamiento del citado de bitstrings indebido."
}
],
"id": "CVE-2014-3482",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-07-07T11:01:30.527",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2014/07/02/5"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0876.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/59973"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/60214"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/60763"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2014/dsa-2982"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/68343"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/07/02/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0876.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59973"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/60214"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/60763"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2982"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/68343"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-11 21:15
Modified
2024-11-21 06:48
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "799C8F9A-10DD-4840-AAB5-F444DDA46FE2",
"versionEndExcluding": "5.2.6.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB7B860B-0F93-4C93-8C95-29D259A38C43",
"versionEndExcluding": "6.0.4.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8FC3F82-3521-470B-910E-395895BAB248",
"versionEndExcluding": "6.1.4.6",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC6C96FF-285D-4378-86FF-AFB70FC339A3",
"versionEndExcluding": "7.0.2.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used."
},
{
"lang": "es",
"value": "Action Pack es un marco de trabajo para manejar y responder a peticiones web. Bajo determinadas circunstancias los cuerpos de las respuestas no son cerradas. En el caso de que una respuesta *no* sea notificada de un \"close\", \"ActionDispatch::Executor\" no sabr\u00e1 restablecer el estado local del hilo para la siguiente petici\u00f3n. Esto puede conllevar a que sean filtrados datos a las siguientes peticiones. Esto ha sido corregido en Rails versiones 7.0.2.1, 6.1.4.5, 6.0.4.5 y 5.2.6.1. Es recomendado encarecidamente actualizar, pero para mitigar este problema puede usarse el middleware descrito en GHSA-wh98-p28r-vrc9"
}
],
"id": "CVE-2022-23633",
"lastModified": "2024-11-21T06:48:58.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-11T21:15:11.990",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
},
{
"source": "security-advisories@github.com",
"url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-212"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-10 10:34
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en actionpack/lib/action_view/helpers/form_tag_helper.rb en Ruby on Rails v3.x anterior a v3.0.17, v3.1.x anterior a v3.1.8, y v3.2.x anterior a v3.2.8 permite la administraci\u00f3n remota los atacantes para inyectar secuencias de comandos web o HTML a trav\u00e9s del campo del sistema para el (helper) select_tag."
}
],
"id": "CVE-2012-3463",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-10T10:34:47.843",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 3.0.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header."
},
{
"lang": "es",
"value": "El m\u00e9todo to_s en actionpack/lib/action_dispatch/middleware/remote_ip.rb en Ruby on Rails v3.0.5 no valida la cabecera X-Forwarded-For de las peticiones de direcciones IP en una red de Clase C, lo que podr\u00eda permitir a atacantes remotos la ejecuci\u00f3n de documentos de texto en los archivos de registro o evitar an\u00e1lisis de direcciones intencionadas a trav\u00e9s de una cabecera modificada."
}
],
"id": "CVE-2011-3187",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-08-29T18:55:01.707",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://bugzilla.novell.com/show_bug.cgi?id=673010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://bugzilla.novell.com/show_bug.cgi?id=673010"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-12-07 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*",
"matchCriteriaId": "1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF",
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38F53FB7-A292-4273-BFBE-E231235E845D",
"versionEndIncluding": "3.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "991F368C-CEB5-4DE6-A7EE-C341F358A4CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"matchCriteriaId": "01DB164E-E08E-4649-84BD-15B4159A3AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"matchCriteriaId": "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem."
},
{
"lang": "es",
"value": "Vulnerabilidad de cross-site scripting (XSS) en actionpack/lib/action_view/helpers/translation_helper.rb en el componente internationalization en Ruby on Rails 3.x anteriores a 3.2.16 y 4.x anteriores a 4.0.2 permite a atacantes remotos inyectar scripts web o HTML arbitrarios a trav\u00e9s de cadenas de texto manipuladas que activan la generaci\u00f3n de una cadena de fallback en la gema i18n."
}
],
"id": "CVE-2013-4491",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-12-07T00:55:03.553",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57836"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "secalert@redhat.com",
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/64076"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2013-4491"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57836"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/64076"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2013-4491"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-09-07 19:28
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "11F211A0-AC69-482A-B659-AEE7BE4E4CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "42232305-7D62-4692-81CC-B7E9CE642372",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DD2818D7-5006-4486-AE55-47B63C8F114B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "83EF40E0-1C62-415A-892B-C071B109D924",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "22D707A0-7CA9-4CED-8DBA-1B50B57EDB2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "0C3CADF8-3316-4514-9A70-AD3DF16B19E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "D0D4AF31-A47B-4BE3-A99B-9A0EB7C53D20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*",
"matchCriteriaId": "C0406FF0-30F5-40E2-B9B8-FE465D923DE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.15:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6646610D-279B-4AEC-B445-981E7784EE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*",
"matchCriteriaId": "50F51980-EAD9-4E4D-A2E7-1FACFA80AAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*",
"matchCriteriaId": "CC02A7D1-CB1A-4793-86E3-CF88D0BCDF83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.18:*:*:*:*:*:*:*",
"matchCriteriaId": "A499584B-6E2E-42F3-B0CE-DA7BDD732897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.21:*:*:*:*:*:*:*",
"matchCriteriaId": "AE982FFD-D30F-4872-9C36-74DE50405B18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.22.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EA770BE3-DD37-45C9-9E6D-8D3407D1A5D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
"matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
"matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "C3AF00C3-93D9-4284-BCB9-40E42CB8386E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AE4B688E-8638-4539-961D-4FDCBEB4B1C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5D0346BB-9180-4FE5-AA35-DC466675ED5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.15:rc1:*:*:*:*:*:*",
"matchCriteriaId": "2D6DD9BF-F174-4BE3-9910-BDE3658DC36E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.16:*:*:*:*:*:*:*",
"matchCriteriaId": "40B79E40-75CB-4EBB-8A4B-AF41AED2AE1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.16:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89B4DCF6-1A21-4B91-ACB4-7DE05487C497",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
"matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EC163D49-691B-4125-A983-6CF6F6D86DEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "68B537D1-1584-4D15-9C75-08ED4D45DC3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "6A19315C-9A9D-45FE-81C8-074744825B98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1E3B4233-E117-4E77-A60D-3DFD5073154D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "392CF25B-8400-4185-863F-D6353B664FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "3037282A-863A-4C92-A40C-4D436D2621C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*",
"matchCriteriaId": "C8C25977-AB6C-45E1-8956-871EB31B36BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5F0AB6B0-3506-4332-A183-309FAC4882CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6D7B4EBC-B634-4AD7-9F7A-54D14821D5AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "F844FB25-6E27-412F-8394-A7FB15AC1191",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A4E608ED-F4AB-4F29-B34E-2841A59580A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6320DD44-7D7E-4075-A865-BEAFF86FDA9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "991F368C-CEB5-4DE6-A7EE-C341F358A4CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"matchCriteriaId": "01DB164E-E08E-4649-84BD-15B4159A3AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"matchCriteriaId": "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.19:*:*:*:*:*:*:*",
"matchCriteriaId": "69702127-AB96-4FE0-9AC4-FBE7B8CA77E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.20:*:*:*:*:*:*:*",
"matchCriteriaId": "48D71F7B-CF93-41D4-A824-51CB11F08692",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.22:*:*:*:*:*:*:*",
"matchCriteriaId": "60CE659B-DF49-477B-8879-C33823F6527F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.22.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7EF68196-7C9E-40FE-868D-C42FF82D52EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "91AB2B26-A6F1-44D2-92EB-8078DD6FD63A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E971CF9D-B807-4A74-81EB-D7CB4E5B8099",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:5.0.0:racecar1:*:*:*:*:*:*",
"matchCriteriaId": "0B31291C-CBB5-4E51-B0AC-4144E8BAD65B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as \"HTML safe\" and used as attribute values in tag handlers."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en Action View en Ruby en Rails 3.x en versiones anteriores a 3.2.22.3, 4.x en versiones anteriores a 4.2.7.1 y 5.x en versiones anteriores a 5.0.0.1 podr\u00eda permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de texto declarado como \"HTML safe\" y utilizado como valores de atributos en los manejadores de etiquetas."
}
],
"id": "CVE-2016-6316",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-09-07T19:28:10.067",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3651"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/92430"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2016-6316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1855.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1856.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1857.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1858.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3651"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/08/11/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/92430"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21topic/ruby-security-ann/8B2iV2tPRSE"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2016-6316"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-29 16:29
Modified
2025-04-20 01:37
Severity ?
Summary
SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7808D558-05FB-404B-8E69-40EFE66BC057",
"versionEndIncluding": "5.1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the \u0027where\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027id\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input"
},
{
"lang": "es",
"value": "** EN DISPUTA ** Vulnerabilidad de inyecci\u00f3n SQL en el m\u00e9todo \"where\" en Ruby on Rails 5.1.4 y anteriores permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el par\u00e1metro \"id\". NOTA: El proveedor defiende que la documentaci\u00f3n indica que este m\u00e9todo no est\u00e1 dise\u00f1ado para ser utilizado con datos no confiables."
}
],
"id": "CVE-2017-17917",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-29T16:29:00.263",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en el m\u00e9todo quote_table_name en el adaptador ActiveRecord de activerecord/lib/active_record/connection_adapters/ in Ruby on Rails antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5, permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s de un nombre de columna modificado."
}
],
"id": "CVE-2011-2930",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-08-29T18:55:01.457",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731438"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731438"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-10 14:10
Modified
2024-11-21 06:31
Severity ?
Summary
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 6.0.4.2 | |
| rubyonrails | rails | 6.1.4.2 | |
| rubyonrails | rails | 7.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:6.0.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "37A3CBC3-83F7-4D43-B1FA-D2694B5AF8BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:6.1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F480555-28ED-4393-BB7D-1380E34B2670",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:7.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "4A5138B9-07DF-4705-A271-E2E1444BAC61",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A open redirect vulnerability exists in Action Pack \u003e= 6.0.0 that could allow an attacker to craft a \"X-Forwarded-Host\" headers in combination with certain \"allowed host\" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de redirecci\u00f3n abierta en Action Pack versiones posteriores a 6.0.0 incluy\u00e9ndola, que podr\u00eda permitir a un atacante dise\u00f1ar un encabezado \"X-Forwarded-Host\" en combinaci\u00f3n con determinados formatos de \"allowed host\" puede causar que el middleware Host Authorization en Action Pack redirija a usuarios a un sitio web malicioso"
}
],
"id": "CVE-2021-44528",
"lastModified": "2024-11-21T06:31:10.060",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-10T14:10:26.117",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815"
},
{
"source": "support@hackerone.com",
"url": "https://security.netapp.com/advisory/ntap-20240208-0003/"
},
{
"source": "support@hackerone.com",
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240208-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5372"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-26 20:15
Modified
2024-11-21 07:20
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212319. NOTE: Maintainer declares that there isn’t a valid attack vector. The issue was wrongly reported as a security vulnerability by a non-member of the Rails team.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4 | Patch, Third Party Advisory | |
| cna@vuldb.com | https://github.com/rails/rails/issues/46244 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.212319 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/rails/rails/issues/46244 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.212319 | Permissions Required, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2DE62461-5072-4B51-9043-C6AA48A95069",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212319. NOTE: Maintainer declares that there isn\u2019t a valid attack vector. The issue was wrongly reported as a security vulnerability by a non-member of the Rails team."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad clasificada como problem\u00e1tica en Ruby on Rails. Afecta a una parte desconocida del archivo actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. La manipulaci\u00f3n conlleva a un ataque de tipo cross site scripting. Es posible iniciar el ataque de forma remota. El nombre del parche es be177e4566747b73ff63fd5f529fab564e475ed4. Es recomendado aplicar el parche para corregir este problema. El identificador asociado a esta vulnerabilidad es VDB-212319"
}
],
"id": "CVE-2022-3704",
"lastModified": "2024-11-21T07:20:04.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T20:15:10.730",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4"
},
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/issues/46244"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.212319"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/issues/46244"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.212319"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-707"
}
],
"source": "cna@vuldb.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-02-21 18:00
Modified
2025-04-11 00:51
Severity ?
Summary
actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.0 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.1 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.2 | |
| rubyonrails | rails | 3.0.3 | |
| rubyonrails | rails | 3.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters."
},
{
"lang": "es",
"value": "actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x anteriores a v3.0.4, cuando un sistema de ficheros sensible a may\u00fasculas y min\u00fasculas se utiliza, no se aplican adecuadamente los filtros asociados a la lista de plantillas disponibles, lo que permite a atacantes remotos evitar las restricciones de acceso previsto a trav\u00e9s de un nombre de acci\u00f3n que utiliza un caso no deseado para los caracteres alfab\u00e9ticos."
}
],
"id": "CVE-2011-0449",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-02-21T18:00:01.363",
"references": [
{
"source": "cve@mitre.org",
"url": "http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source\u0026output=gplain"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43278"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1025061"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2011/0877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43278"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1025061"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0877"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-02 04:15
Modified
2025-03-26 18:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ankane/clockwork_web/commit/ec2896503ee231588547c2fad4cb93a94e78f857 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/ankane/clockwork_web/compare/v0.1.1...v0.1.2 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/ankane/clockwork_web/issues/4 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ankane/clockwork_web/commit/ec2896503ee231588547c2fad4cb93a94e78f857 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ankane/clockwork_web/compare/v0.1.1...v0.1.2 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ankane/clockwork_web/issues/4 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| clockwork_web_project | clockwork_web | * | |
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:clockwork_web_project:clockwork_web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D66182B-0020-4436-8C14-B3EE1F9B82A3",
"versionEndExcluding": "0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C9163AF-6EEA-4C22-BA5D-74CB55208C9B",
"versionEndExcluding": "5.2.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF."
}
],
"id": "CVE-2023-25015",
"lastModified": "2025-03-26T18:15:23.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-02T04:15:08.107",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ankane/clockwork_web/commit/ec2896503ee231588547c2fad4cb93a94e78f857"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ankane/clockwork_web/compare/v0.1.1...v0.1.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/ankane/clockwork_web/issues/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ankane/clockwork_web/commit/ec2896503ee231588547c2fad4cb93a94e78f857"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ankane/clockwork_web/compare/v0.1.1...v0.1.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/ankane/clockwork_web/issues/4"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-652"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-27 16:15
Modified
2025-02-14 15:26
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B002323A-D7B8-4C0C-B7C3-2329643666B4",
"versionEndExcluding": "6.1.7.7",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9944FE3A-3FEF-414F-B19E-6FFB12F49232",
"versionEndExcluding": "7.1.0",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user\u0027s session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7."
},
{
"lang": "es",
"value": "Rails es un framework de aplicaci\u00f3n web. A partir de la versi\u00f3n 5.2.0, existe una posible fuga de informaci\u00f3n confidencial de la sesi\u00f3n en Active Storage. De forma predeterminada, Active Storage env\u00eda un encabezado Set-Cookie junto con la cookie de sesi\u00f3n del usuario cuando sirve blobs. Tambi\u00e9n configura Cache-Control como p\u00fablico. Ciertos servidores proxy pueden almacenar en cach\u00e9 la Set-Cookie, lo que provoca una fuga de informaci\u00f3n. La vulnerabilidad se solucion\u00f3 en 7.0.8.1 y 6.1.7.7."
}
],
"id": "CVE-2024-26144",
"lastModified": "2025-02-14T15:26:42.917",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-27T16:15:46.970",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0013/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0013/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-06-22 14:55
Modified
2025-04-11 00:51
Severity ?
Summary
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F046DC2-971A-46E6-A61B-AD39B954D634",
"versionEndIncluding": "3.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661."
},
{
"lang": "es",
"value": "El componente \u0027Active Record\u0027 en Ruby on Rails antes de la version v3.0.14, v3.1.x antes de v3.1.6 y v3.2.x antes de v3.2.6 no implementa correctamente el paso de los datos de la solicitud a un m\u00e9todo \u0027where\u0027 en la clase ActiveRecord, lo que permite llevar a cabo determinados ataques de inyecci\u00f3n SQL a atacantes remotos a trav\u00e9s de los par\u00e1metros de consulta anidadas que aprovechan una indebida manipulaci\u00f3n de los hashes anidados. Es un problema relacionado con el CVE-2012-2661."
}
],
"id": "CVE-2012-2695",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-06-22T14:55:01.147",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias comandos en sitios cruzados (XSS) en strip_tags de actionpack/lib/action_controller/vendor/html-scanner/html/node.rb en Ruby on Rails v2.x antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5 permite a atacantes remotos ejecutar secuencias de comandos web o HTML a trav\u00e9s una etiqueta con un nombre no v\u00e1lido."
}
],
"id": "CVE-2011-2931",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-08-29T18:55:01.503",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/45921"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731436"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/45921"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731436"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-10 10:34
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BBBE2A-2BDA-4930-8E26-A1E3C6575F81",
"versionEndIncluding": "3.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a \u0027 (quote) character."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails anteriores a v3.0.17, v3.1.x anteriores a v3.1.8, y 3.2.x anteriores a v3.2.8, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores que implican el caracter \u0027 (comilla)."
}
],
"id": "CVE-2012-3464",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-10T10:34:47.890",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/50694"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/50694"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-06-14 23:30
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | 1.1.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en la funci\u00f3n to_json (ActiveRecord::Base-to_json) en Ruby on Rails versiones anteriores a edge 9606, permite a atacantes remotos inyectar script web arbitrario por medio de los valores de entrada."
}
],
"id": "CVE-2007-3227",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2007-06-14T23:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"source": "cve@mitre.org",
"url": "http://dev.rubyonrails.org/ticket/8371"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/36378"
},
{
"source": "cve@mitre.org",
"url": "http://pastie.caboo.se/65550.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/25699"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27657"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27756"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"source": "cve@mitre.org",
"url": "http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release"
},
{
"source": "cve@mitre.org",
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_24_sr.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/24161"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2007/2216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=195315"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.rubyonrails.org/ticket/8371"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/36378"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://pastie.caboo.se/65550.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/25699"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27657"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27756"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200711-17.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_24_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/24161"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2007/2216"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-03-19 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference."
},
{
"lang": "es",
"value": "El backend ActiveSupport::XmlMini_JDOM en lib/active_support/xml_mini/jdom.rb en el componente Active Support en Ruby on Rails v3.0.x y 3.1.x anterior a v3.1.12 y v3.2.x anterior a v3.2.13, cuando se usa JRuby, no restringe adecuadamente las capacidades del validador XML, lo que permite a atacantes remotos leer archivos de su elecci\u00f3n o provocar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s de vectores que involucran (1) una TDT externa o (2) una declaraci\u00f3n de entidad externa junto con una referencia a una entidad."
}
],
"id": "CVE-2013-1856",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-03-19T22:55:01.070",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-06-30 15:55
Modified
2025-04-11 00:51
Severity ?
Summary
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method."
},
{
"lang": "es",
"value": "La caracter\u00edstica de prevenci\u00f3n de secuencias de comandos en sitios cruzados (XSS) de Ruby en Rails v2.x anterior a v2.3.12, v3.0.x anterior a v3.0.8, y v3.1.x anterior a v3.1.0.rc2 no maneja adecuadamente la mutaci\u00f3n de b\u00fafers seguros, esto facilita a los atacantes remotos provocar ataques XSS a trav\u00e9s de cadenas manipuladas de una aplicaci\u00f3n que usa un m\u00e9todo de cadena problem\u00e1tico, como se ha demostrado con el sub-m\u00e9todo."
}
],
"id": "CVE-2011-2197",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-06-30T15:55:01.910",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/06/09/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/06/13/9"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/44789"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/06/09/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/06/13/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/44789"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-08-29 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a \"UTF-8 escaping vulnerability.\""
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails v2.x antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5 permite a atacantes remotos ejecutar secuencias de comandos web o HTML a trav\u00e9s de cadenas Unicode malformadas, relacionado con una \"vulnerabilidad de escapado UTF-8\""
}
],
"id": "CVE-2011-2932",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-08-29T18:55:01.567",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source\u0026output=gplain"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/45917"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731435"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/45917"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731435"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-09 20:15
Modified
2025-03-24 20:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| actionpack_project | actionpack | * | |
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:actionpack_project:actionpack:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "EAD7718C-B932-4863-B30E-E85F1ADCF933",
"versionEndExcluding": "7.0.4.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA4E147-AAD7-4EA9-BB6B-8358610FEE9A",
"versionEndExcluding": "7.0.4.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability."
}
],
"id": "CVE-2023-22797",
"lastModified": "2025-03-24T20:15:16.253",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-09T20:15:11.550",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Not Applicable"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-19 14:15
Modified
2024-11-21 01:26
Severity ?
Summary
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG | Release Notes, Third Party Advisory | |
| secalert@redhat.com | https://www.openwall.com/lists/oss-security/2011/04/06/13 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2011/04/06/13 | Exploit, Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59C3C778-7F4A-455B-8D1E-7760FF68DC93",
"versionEndExcluding": "3.0.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6."
},
{
"lang": "es",
"value": "Se ha encontrado un fallo de vulnerabilidad de tipo cross-site scripting en la funci\u00f3n auto_link de Rails versiones anteriores a 3.0.6"
}
],
"id": "CVE-2011-1497",
"lastModified": "2024-11-21T01:26:26.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-19T14:15:08.033",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2011/04/06/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2011/04/06/13"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-11 18:15
Modified
2024-11-21 05:50
Severity ?
Summary
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| fedoraproject | fedora | 33 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "817BE0F5-136C-460E-816D-74B3F6663BA8",
"versionEndExcluding": "6.0.3.5",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98CE6993-089E-454B-8156-011E03FC3C94",
"versionEndExcluding": "6.1.2.1",
"versionStartIncluding": "6.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain \"allowed host\" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website."
},
{
"lang": "es",
"value": "El middleware de Autorizaci\u00f3n de Host en Action Pack versiones anteriores a 6.1.2.1, 6.0.3.5 sufre una vulnerabilidad de redireccionamiento abierto.\u0026#xa0;Los encabezados \"Host\" especialmente dise\u00f1ados en combinaci\u00f3n con determinados formatos \"allowed host\" pueden causar que el middleware de Autorizaci\u00f3n del Host en Action Pack redireccione a los usuarios a un sitio web malicioso.\u0026#xa0;Las aplicaciones afectadas habr\u00e1n permitido hosts con un punto inicial.\u0026#xa0;Cuando un host permitido contiene un punto inicial, un encabezado \"Host\" especialmente dise\u00f1ado puede ser usado para redireccionar hacia un sitio web malicioso"
}
],
"id": "CVE-2021-22881",
"lastModified": "2024-11-21T05:50:49.740",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-11T18:15:17.460",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/05/2"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/08/20/1"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Mailing List",
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/5"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/"
},
{
"source": "support@hackerone.com",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1047447"
},
{
"source": "support@hackerone.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/05/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/08/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1047447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-11-21 21:46
Modified
2025-04-09 00:30
Severity ?
Summary
The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49B9DD7F-DA3A-49C5-B2D4-8A8BD73C6FA5",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB938651-C874-4427-AF9B-E9564B258633",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D59FAFB-5D48-4BD8-AD51-FF9A204E373D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FE23CCE1-1713-4813-A0AB-1E10DBDA4D12",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.9.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "897109FF-2C37-458A-91A9-7407F3DFBC99",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "289B1633-AAF7-48BE-9A71-0577428EE531",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B947FD6D-CD0B-44EE-95B5-E513AF244905",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3666B82-1880-4A43-900F-3656F3FB157A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE622F6D-AC7D-4D82-A33C-82C2CEFDB9B2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C06D18BA-A0AB-461B-B498-2F1759CBF37D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61EBE7E0-C474-43A7-85E3-093C754A253F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7195418-A2E9-43E6-B29F-AEACC317E69E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "39485B13-3C71-4EC6-97CF-6C796650C5B9",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E16D8B-4FBD-4FB6-ABA8-B38ECA4D413F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8A3B30A-65F0-4D63-9A09-B23E9FC8D550",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62323F62-AD04-4F43-A566-718DDB4149CC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:0.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A8E890B1-4237-4470-939A-4FC489E04520",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24F3B933-0F68-4F88-999C-0BE48BC88CF6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9E13DAEA-F118-4CB2-88A5-54E3327B6B9E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BC33BF68-D887-4C67-8E8C-D2A6CD877FB2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFCB88D-D946-4510-8DDC-67C32A606589",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E793287E-2BDA-4012-86F5-886B82510431",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF706143-996C-4120-B620-3EDC977568DF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "43E7F32B-C760-4862-B6DB-C38FB2A9182F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FD68A034-73A2-4B1A-95DB-19AD3131F775",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E78C912-E8FF-495F-B922-43C54D1E2180",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15B72C17-82C3-4930-9227-226C8E64C2E7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FA59F311-B2B4-40EE-A878-64EF9F41581B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "035B47E9-A395-47D2-9164-A2A2CF878326",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BDA55D29-C830-45EF-A3B3-BFA9EED88F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0A9356A6-D32A-487C-B743-1DA0D6C42FA6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2B3C7616-8631-49AC-979C-4347067059AF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:1.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EC487B78-AAEA-4F0E-8C8B-F415013A381E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "50EEAFDA-7782-4E1E-9058-205AD4BE9A01",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CAC748BB-BFC5-44F7-B633-CEEBB1279889",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "38CF2C31-70BB-41D3-9462-0A8B9869A5F0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8584B37-7950-4C89-83D2-04E1ACDC60BF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB26F65-5CFB-4BF8-BCC4-679327D4A8DB",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EF12EA5D-5EB5-46A8-AC60-65B327D610AD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04FDC63D-6ED7-48AE-9D72-6419F54D4B84",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF12B2F-39D9-48D5-9620-DF378D199295",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "22E1EAAF-7B49-498B-BFEB-357173824F4B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1B9AD626-0AFA-4873-A701-C7716193A69C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF69F60A-E8D3-4A4D-BBB5-DE42A1402262",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "986D2B30-FF07-498B-A5E0-A77BAB402619",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A0E3141A-162C-4674-BD7B-E1539BAA0B7B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "86E73F12-0551-42D2-ACC3-223C98B69C7E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D6BA0659-2287-4E95-B30D-2441CD96DA90",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B01A4699-32D3-459E-B731-4240C8157F71",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380."
},
{
"lang": "es",
"value": "El mecanismo de protecci\u00f3n de fijaci\u00f3n de sesi\u00f3n en el archivo cgi_process.rb en Rails versi\u00f3n 1.2.4, como es usado en Ruby on Rails, elimina el atributo :cookie_only de la constante DEFAULT_SESSION_OPTIONS, lo que causa efectivamente que cookie_only se aplique solo a la primera instancia de CgiRequest, lo que permite a atacantes remotos conducir ataques de fijaci\u00f3n de sesi\u00f3n. NOTA: esto es debido a una correcci\u00f3n incompleta para el CVE-2007-5380."
}
],
"id": "CVE-2007-6077",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-11-21T21:46:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://dev.rubyonrails.org/changeset/8177"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://dev.rubyonrails.org/ticket/10048"
},
{
"source": "cve@mitre.org",
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"source": "cve@mitre.org",
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27781"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28136"
},
{
"source": "cve@mitre.org",
"url": "http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/26598"
},
{
"source": "cve@mitre.org",
"tags": [
"US Government Resource"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2007/4009"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.rubyonrails.org/changeset/8177"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://dev.rubyonrails.org/ticket/10048"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27781"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/26598"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2007/4009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2007/4238"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-04-22 03:27
Modified
2025-04-11 00:51
Severity ?
Summary
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEB24FC-F068-4EBD-BDC8-AB5BC56130DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2DF384-3992-43BF-8A5C-65FA53E9A77C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6ECC8C49-5A46-4D23-81F9-8243F5D508DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "312848C5-BA35-4A48-B66D-195A5E1CD00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B7453BE5-91C8-42B2-9F75-FFE4038F29A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A2FD44EB-E899-4FA8-985E-44B75134DDC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "5E13E309-2411-4E1D-B27F-BF5DDDD5D5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:2.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4E1C795F-CCAC-47AC-B809-BD5510310011",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."
},
{
"lang": "es",
"value": "El componente Active Record en Ruby on Rails 2.3.x, 3.0.x, 3.1.x, y 3.2.x, no asegura que el tipo de dato declarado de una columna de la base de datos sea usado durante la comparaci\u00f3n con los valores de entrada almacenados en dicha columna, lo que facilita a atacantes remotos a llevar a cabo ataques de inyecci\u00f3n de tipos de datos (data-types) contra las aplicaciones de Ruby on Rails a trav\u00e9s de un valor manipulado, como se ha demostrado mediante una transacci\u00f3n entre la caracter\u00edstica \"typed XML\" y la base de datos de MySQL."
}
],
"id": "CVE-2013-3221",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-04-22T03:27:13.363",
"references": [
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2013/02/06/7"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2013/04/24/7"
},
{
"source": "cve@mitre.org",
"url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"
},
{
"source": "cve@mitre.org",
"url": "https://gist.github.com/dakull/5442275"
},
{
"source": "cve@mitre.org",
"url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source\u0026output=gplain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2013/02/06/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2013/04/24/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.phenoelit.org/blog/archives/2013/02/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://gist.github.com/dakull/5442275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source\u0026output=gplain"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-12-07 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "392E2D58-CB39-4832-B4D9-9C2E23B8E14C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "1F2466EA-7039-46A1-B4A3-8DACD1953A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0CAB4E72-0A15-4B26-9B69-074C278568D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A085E105-9375-440A-80CB-9B23E6D7EB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25911E48-C5D7-4ED8-B4DB-7523A74CCF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B29674E3-CC80-446B-9A43-82594AE7A058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FF34D8CB-2B6D-4CB8-A206-108293BCFFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"matchCriteriaId": "272268EE-E3E8-4683-B679-55D748877A7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7B69FD33-61FE-4F10-BBE1-215F59035D30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08D7CB5D-82EF-4A24-A792-938FAB40863D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"matchCriteriaId": "8A044B21-47D5-468D-AF4A-06B3B5CC0824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2196F3D0-532A-40F9-843A-1DFBC8B63FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CBEDA932-6CB5-438C-94E4-824732A91BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"matchCriteriaId": "903E5524-5E45-48CE-A804-EDAEBE3A79AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"matchCriteriaId": "08534AF2-F94E-4FB6-A572-4FB9827276D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"matchCriteriaId": "29E3B4A6-1346-4358-B7BC-84D00ED3ABBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"matchCriteriaId": "B52D7A6B-DD93-45F0-9186-18ABEFF28DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1F07C641-48DF-43BE-9EB5-72B337C54846",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A1CB1B12-99F5-430F-AE19-9A95C17FA123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "05D5D58C-DB79-41EA-81AE-5D95C48211B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE331D6D-99BA-4369-AD8B-B556DEE4955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "58304E17-ADFD-4686-9CCF-C1CA31843B94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "05108EF0-81AD-4378-9843-5C23F2AC79A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0C448F62-8231-4221-ADA0-C9B848AE03D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "60255706-C44A-48CB-B98B-A1F0991CBC74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0456E2E8-EF06-414E-8A7D-8005F0EB46B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "D9EE4763-2495-4B6A-B72F-344967E51C27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "F884F2F4-94F3-46CB-860B-1BCC0EEF408A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "88DFBB48-1C29-4639-9369-F5B413CA2337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D37696D7-BEE6-4587-9E33-A7FE24780409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "D3172982-3FA4-427F-BE3E-2321D804E49D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FD6EC85B-F092-48FF-966A-96B9227C8656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "9000F3C1-57A0-474C-9C82-E58688F29838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A42F4E7A-6F6A-485C-8D30-95F3B0285922",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "30B9C0CB-F6E6-4233-84E4-D6E69104DD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5343241F-274D-45FF-97C7-2BC2E920BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FED122B8-AF4C-4C48-B1E5-54F4A7A31A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "157ACCAD-0FB8-4CC9-9DFB-70835DE6506C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3E50ACF6-7277-4C9A-B42A-E7EFDC317691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C191DC2B-1EC3-48E0-A586-867E6EE4431C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA51263-6680-42C6-B119-8241D6F76206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B4BC41E8-FEDA-4C31-B479-D49A59FC4D63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "09C20971-53B5-43B0-AC45-5AA0FDF1B054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "496902D6-409A-40D9-849F-C41264BE5B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "2482AB3F-8303-4F95-BE04-C5F06EEF2015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "244C6952-377C-4AF0-8BA2-C34516A3EB5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "98A79CC5-71EC-4E90-9E99-2DF62ABC0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6562F3C3-D794-4107-95D4-1C0B0486940B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2816C02C-E13E-4367-91F3-14756A90EC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1AE674DE-65DB-437E-A034-A2EE5C584B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32EB2C3F-0F24-43DB-988E-BD2973598F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB32713D-FE64-445E-872E-B4678C243AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "89C618DC-38BC-4484-8C41-BC38B7EB636B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0E376782-98B0-4766-B6FC-67E032A00C62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96D08DC1-14E9-4DB9-BC95-3F73B454FBC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F365C9E5-27DC-46C3-AFE4-4876EC7B352B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0016A6-0ED6-443D-B969-CB1226D8E28C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "E69470EA-5EBC-4FB9-A722-5B61C70C1140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B13A8EBB-4211-4AB1-8872-244EEEE20ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AB2152-DED8-4CFD-B915-94A9F56FDD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C630AB60-DBAF-421E-B663-492BAE8A180F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F41CCF8-14EB-4327-A675-83BFDBB53196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "75842F7D-B1B1-48BA-858F-01148867B3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE65D701-AA6E-48E4-B62B-C22DEE863503",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"matchCriteriaId": "17B1E475-C873-4561-9348-027721C08D79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38F53FB7-A292-4273-BFBE-E231235E845D",
"versionEndIncluding": "3.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "224BD488-0D7E-4F8B-9012-DE872DEB544C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F0635C-4EBF-4EA3-9756-A85A3BB5026B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A325F57E-0055-4279-9ED7-A26E75FC38E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"matchCriteriaId": "991F368C-CEB5-4DE6-A7EE-C341F358A4CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"matchCriteriaId": "01DB164E-E08E-4649-84BD-15B4159A3AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"matchCriteriaId": "E0F7ECFB-86A1-4F00-AD47-971FA23C6D21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*",
"matchCriteriaId": "1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF",
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155."
},
{
"lang": "es",
"value": "actoinpack/lib/action_dispatch/http/request.rb en Ruby on Rails anteriores a 3.2.16 y 4.x anteriores a 4.0.2 no considera correctamente las diferencias en la gesti\u00f3n de par\u00e1metros entre el componente Active Record y la implementaci\u00f3n de JSON, lo cual permite a atacantes remotos sortear restricciones de consultas a la base de datos y ejecutar comprobaciones NULL o provocar falta de cl\u00e1usulas WHERE a trav\u00e9s de una petici\u00f3n manipulada que aprovecha (1) middleware Rack de terceros o (2) middleware Rack propio. NOTA: esta vulnerabilidad existe debido a una correcci\u00f3n incompleta de CVE-2013-0155."
}
],
"id": "CVE-2013-6417",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-12-07T00:55:03.773",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html"
},
{
"source": "secalert@redhat.com",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "secalert@redhat.com",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
},
{
"source": "secalert@redhat.com",
"url": "https://puppet.com/security/cve/cve-2013-6417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://puppet.com/security/cve/cve-2013-6417"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-04 20:15
Modified
2024-12-06 14:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | 7.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D2C17A69-A50E-4AB4-B607-CB917EB6B944",
"versionEndExcluding": "6.1.7.8",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1998127B-0A85-41FB-A20C-EAEBBB0BE534",
"versionEndExcluding": "7.0.8.4",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EEC8C716-9842-478E-B714-06C0DD1CDB1C",
"versionEndExcluding": "7.1.3.4",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:7.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "5B5E3A5F-5ACA-4A9C-A934-BB8AEB639D3B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3."
},
{
"lang": "es",
"value": "Action Pack es un framework para manejar y responder a solicitudes web. Desde 6.1.0, la Pol\u00edtica de permisos configurable de la aplicaci\u00f3n solo se ofrece en respuestas con un tipo de contenido relacionado con HTML. Esta vulnerabilidad se solucion\u00f3 en 6.1.7.8, 7.0.8.2 y 7.1.3.3."
}
],
"id": "CVE-2024-28103",
"lastModified": "2024-12-06T14:15:20.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-04T20:15:10.237",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20241206-0002/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-09 20:15
Modified
2025-03-24 21:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F666D93D-2847-4073-9F8D-6E1809B61BF3",
"versionEndExcluding": "6.0.6.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53ED168D-80DD-4200-87F4-343D11FAA14C",
"versionEndExcluding": "6.1.7.1",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA4E147-AAD7-4EA9-BB6B-8358610FEE9A",
"versionEndExcluding": "7.0.4.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.0.6.1,\u003c 6.1.7.1, and \u003c7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately."
}
],
"id": "CVE-2023-22792",
"lastModified": "2025-03-24T21:15:16.240",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-09T20:15:11.290",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115"
},
{
"source": "support@hackerone.com",
"url": "https://security.netapp.com/advisory/ntap-20240202-0007/"
},
{
"source": "support@hackerone.com",
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240202-0007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2023/dsa-5372"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2016-0753 (GCVE-0-2016-0753)
Vulnerability from cvelistv5
Published
2016-02-16 02:00
Modified
2024-08-05 22:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:04.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/82247"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-09T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/82247"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-0753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/82247"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0753",
"datePublished": "2016-02-16T02:00:00",
"dateReserved": "2015-12-16T00:00:00",
"dateUpdated": "2024-08-05T22:30:04.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-5189 (GCVE-0-2008-5189)
Vulnerability from cvelistv5
Published
2008-11-21 11:00
Modified
2024-08-07 10:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
References
| ▼ | URL | Tags |
|---|---|---|
| http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/32359 | vdb-entry, x_refsource_BID | |
| http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html | vendor-advisory, x_refsource_SUSE | |
| http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing | x_refsource_CONFIRM | |
| http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:40:17.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d"
},
{
"name": "32359",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/32359"
},
{
"name": "SUSE-SR:2008:027",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-03-03T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d"
},
{
"name": "32359",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/32359"
},
{
"name": "SUSE-SR:2008:027",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-5189",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d",
"refsource": "CONFIRM",
"url": "http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d"
},
{
"name": "32359",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/32359"
},
{
"name": "SUSE-SR:2008:027",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html"
},
{
"name": "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing"
},
{
"name": "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-5189",
"datePublished": "2008-11-21T11:00:00",
"dateReserved": "2008-11-20T00:00:00",
"dateUpdated": "2024-08-07T10:40:17.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-0752 (GCVE-0-2016-0752)
Vulnerability from cvelistv5
Published
2016-02-16 02:00
Modified
2025-02-07 13:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:03.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "40561",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40561/"
},
{
"name": "openSUSE-SU-2016:0372",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "openSUSE-SU-2016:0363",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"name": "[oss-security] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
},
{
"name": "FEDORA-2016-97002ad37b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "81801",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/81801"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "FEDORA-2016-fa0dec2360",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2016-0752",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T13:26:36.145115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2016-0752"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T13:26:44.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-09T09:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "40561",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40561/"
},
{
"name": "openSUSE-SU-2016:0372",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "openSUSE-SU-2016:0363",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"name": "[oss-security] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
},
{
"name": "FEDORA-2016-97002ad37b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "81801",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/81801"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "FEDORA-2016-fa0dec2360",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-0752",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "40561",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40561/"
},
{
"name": "openSUSE-SU-2016:0372",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "openSUSE-SU-2016:0363",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
},
{
"name": "[oss-security] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/13"
},
{
"name": "FEDORA-2016-97002ad37b",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "81801",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/81801"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "FEDORA-2016-fa0dec2360",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0752] Possible Information Leak Vulnerability in Action View",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ"
},
{
"name": "DSA-3464",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0752",
"datePublished": "2016-02-16T02:00:00.000Z",
"dateReserved": "2015-12-16T00:00:00.000Z",
"dateUpdated": "2025-02-07T13:26:44.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-0448 (GCVE-0-2011-0448)
Vulnerability from cvelistv5
Published
2011-02-21 00:00
Modified
2024-08-06 21:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:51:09.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[rubyonrails-security] 20110209 Potential SQL Injection in Rails 3.0.x",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source\u0026output=gplain"
},
{
"tags": [
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4"
},
{
"name": "1025063",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://securitytracker.com/id?1025063"
},
{
"name": "FEDORA-2011-4358",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"name": "43278",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "http://secunia.com/advisories/43278"
},
{
"name": "ADV-2011-0877",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0877"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-02-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-07T22:13:48.916887",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[rubyonrails-security] 20110209 Potential SQL Injection in Rails 3.0.x",
"tags": [
"mailing-list"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source\u0026output=gplain"
},
{
"url": "http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4"
},
{
"name": "1025063",
"tags": [
"vdb-entry"
],
"url": "http://securitytracker.com/id?1025063"
},
{
"name": "FEDORA-2011-4358",
"tags": [
"vendor-advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
},
{
"name": "43278",
"tags": [
"third-party-advisory"
],
"url": "http://secunia.com/advisories/43278"
},
{
"name": "ADV-2011-0877",
"tags": [
"vdb-entry"
],
"url": "http://www.vupen.com/english/advisories/2011/0877"
},
{
"url": "https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-0448",
"datePublished": "2011-02-21T00:00:00",
"dateReserved": "2011-01-13T00:00:00",
"dateUpdated": "2024-08-06T21:51:09.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-1497 (GCVE-0-2011-1497)
Vulnerability from cvelistv5
Published
2021-10-19 13:29
Modified
2024-08-06 22:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.openwall.com/lists/oss-security/2011/04/06/13 | x_refsource_MISC | |
| https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:28:41.705Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2011/04/06/13"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rails",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "rails 3.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-19T13:29:55",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2011/04/06/13"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-1497",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "rails",
"version": {
"version_data": [
{
"version_value": "rails 3.0.6"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2011/04/06/13",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2011/04/06/13"
},
{
"name": "https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG",
"refsource": "MISC",
"url": "https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1497",
"datePublished": "2021-10-19T13:29:55",
"dateReserved": "2011-03-21T00:00:00",
"dateUpdated": "2024-08-06T22:28:41.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22942 (GCVE-0-2021-22942)
Vulnerability from cvelistv5
Published
2021-10-18 00:00
Modified
2024-08-03 18:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - Open Redirect ()
Summary
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | https://github.com/rails/rails |
Version: 6.1.4.1, 6.0.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.009Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/"
},
{
"name": "[oss-security] 20211214 [CVE-2021-44528] Possible Open Redirect in Host Authorization Middleware",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/5"
},
{
"name": "DSA-5372",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240202-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/rails/rails",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.1.4.1, 6.0.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A possible open redirect vulnerability in the Host Authorization middleware in Action Pack \u003e= 6.0.0 that could allow attackers to redirect users to a malicious website."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "Open Redirect (CWE-601)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T14:06:25.426854",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/"
},
{
"name": "[oss-security] 20211214 [CVE-2021-44528] Possible Open Redirect in Host Authorization Middleware",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/5"
},
{
"name": "DSA-5372",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240202-0005/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2021-22942",
"datePublished": "2021-10-18T00:00:00",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:26.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-1098 (GCVE-0-2012-1098)
Vulnerability from cvelistv5
Published
2012-03-13 10:00
Modified
2024-08-06 18:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2012/03/03/1 | mailing-list, x_refsource_MLIST | |
| https://bugzilla.redhat.com/show_bug.cgi?id=799275 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2012/03/02/6 | mailing-list, x_refsource_MLIST | |
| http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:45:27.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2012-3321",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html"
},
{
"name": "[oss-security] 20120302 Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/03/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=799275"
},
{
"name": "[oss-security] 20120302 CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/02/6"
},
{
"name": "[rubyonrails-security] 20120301 Possible XSS Security Vulnerability in SafeBuffer#[]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source\u0026output=gplain"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-09T17:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2012-3321",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html"
},
{
"name": "[oss-security] 20120302 Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/03/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=799275"
},
{
"name": "[oss-security] 20120302 CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/02/6"
},
{
"name": "[rubyonrails-security] 20120301 Possible XSS Security Vulnerability in SafeBuffer#[]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source\u0026output=gplain"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-1098",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2012-3321",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html"
},
{
"name": "[oss-security] 20120302 Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/03/03/1"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=799275",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=799275"
},
{
"name": "[oss-security] 20120302 CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/03/02/6"
},
{
"name": "[rubyonrails-security] 20120301 Possible XSS Security Vulnerability in SafeBuffer#[]",
"refsource": "MLIST",
"url": "http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source\u0026output=gplain"
},
{
"name": "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-1098",
"datePublished": "2012-03-13T10:00:00",
"dateReserved": "2012-02-14T00:00:00",
"dateUpdated": "2024-08-06T18:45:27.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22902 (GCVE-0-2021-22902)
Vulnerability from cvelistv5
Published
2021-06-11 15:49
Modified
2024-08-03 18:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Denial of Service ()
Summary
The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.
References
| ▼ | URL | Tags |
|---|---|---|
| https://hackerone.com/reports/1138654 | x_refsource_MISC | |
| https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | https://github.com/rails/rails |
Version: Fixed in 6.0.3.7, 6.1.3.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:25.713Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1138654"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/rails/rails",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 6.0.3.7, 6.1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-11T15:49:38",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1138654"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2021-22902",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/rails/rails",
"version": {
"version_data": [
{
"version_value": "Fixed in 6.0.3.7, 6.1.3.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1138654",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1138654"
},
{
"name": "https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866",
"refsource": "MISC",
"url": "https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2021-22902",
"datePublished": "2021-06-11T15:49:38",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:25.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-2932 (GCVE-0-2011-2932)
Vulnerability from cvelistv5
Published
2011-08-29 18:00
Modified
2024-08-06 23:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:15:31.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731435"
},
{
"name": "45917",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/45917"
},
{
"name": "[oss-security] 20110817 CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"name": "FEDORA-2011-11579",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"name": "FEDORA-2011-11600",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html"
},
{
"name": "FEDORA-2011-11386",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"name": "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"name": "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"name": "[rubyonrails-security] 20110816 XSS Vulnerability in the escaping function in Ruby on Rails",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source\u0026output=gplain"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-08-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a \"UTF-8 escaping vulnerability.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-09-23T09:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731435"
},
{
"name": "45917",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/45917"
},
{
"name": "[oss-security] 20110817 CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"name": "FEDORA-2011-11579",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"name": "FEDORA-2011-11600",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html"
},
{
"name": "FEDORA-2011-11386",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"name": "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"name": "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"name": "[rubyonrails-security] 20110816 XSS Vulnerability in the escaping function in Ruby on Rails",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source\u0026output=gplain"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-2932",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a \"UTF-8 escaping vulnerability.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=731435",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731435"
},
{
"name": "45917",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/45917"
},
{
"name": "[oss-security] 20110817 CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"name": "FEDORA-2011-11579",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"name": "FEDORA-2011-11600",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html"
},
{
"name": "FEDORA-2011-11386",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"name": "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"name": "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"name": "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"name": "[rubyonrails-security] 20110816 XSS Vulnerability in the escaping function in Ruby on Rails",
"refsource": "MLIST",
"url": "http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source\u0026output=gplain"
},
{
"name": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-2932",
"datePublished": "2011-08-29T18:00:00",
"dateReserved": "2011-07-27T00:00:00",
"dateUpdated": "2024-08-06T23:15:31.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2660 (GCVE-0-2012-2660)
Vulnerability from cvelistv5
Published
2012-06-22 14:00
Modified
2024-08-06 19:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html | vendor-advisory, x_refsource_SUSE | |
| https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:42:31.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "SUSE-SU-2012:1015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html"
},
{
"name": "SUSE-SU-2012:1012",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"name": "openSUSE-SU-2012:0978",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"
},
{
"name": "SUSE-SU-2012:1014",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"name": "openSUSE-SU-2012:1066",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"name": "[rubyonrails-security] 20120531 Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source\u0026output=gplain"
},
{
"name": "RHSA-2013:0154",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2694."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-07T09:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "SUSE-SU-2012:1015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html"
},
{
"name": "SUSE-SU-2012:1012",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"name": "openSUSE-SU-2012:0978",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"
},
{
"name": "SUSE-SU-2012:1014",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"name": "openSUSE-SU-2012:1066",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"name": "[rubyonrails-security] 20120531 Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source\u0026output=gplain"
},
{
"name": "RHSA-2013:0154",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2660",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2694."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "SUSE-SU-2012:1015",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html"
},
{
"name": "SUSE-SU-2012:1012",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html"
},
{
"name": "openSUSE-SU-2012:0978",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html"
},
{
"name": "SUSE-SU-2012:1014",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html"
},
{
"name": "openSUSE-SU-2012:1066",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"name": "[rubyonrails-security] 20120531 Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)",
"refsource": "MLIST",
"url": "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source\u0026output=gplain"
},
{
"name": "RHSA-2013:0154",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2660",
"datePublished": "2012-06-22T14:00:00",
"dateReserved": "2012-05-14T00:00:00",
"dateUpdated": "2024-08-06T19:42:31.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3704 (GCVE-0-2022-3704)
Vulnerability from cvelistv5
Published
2022-10-26 00:00
Modified
2024-08-03 01:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-707 - Improper Neutralization -> CWE-74 Injection -> CWE-79 Cross Site Scripting
Summary
A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212319. NOTE: Maintainer declares that there isn’t a valid attack vector. The issue was wrongly reported as a security vulnerability by a non-member of the Rails team.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | Ruby on Rails |
Version: n/a |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rubyonrails:rails:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "rails",
"vendor": "rubyonrails",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3704",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T18:34:38.365654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T18:59:58.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:57.035Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rails/rails/issues/46244"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.212319"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Ruby on Rails",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212319. NOTE: Maintainer declares that there isn\u2019t a valid attack vector. The issue was wrongly reported as a security vulnerability by a non-member of the Rails team."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "CWE-707 Improper Neutralization -\u003e CWE-74 Injection -\u003e CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-19T00:00:00",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"url": "https://github.com/rails/rails/issues/46244"
},
{
"url": "https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4"
},
{
"url": "https://vuldb.com/?id.212319"
}
],
"tags": [
"disputed"
],
"title": "Ruby on Rails _table.html.erb cross site scripting",
"x_generator": "vuldb.com"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2022-3704",
"datePublished": "2022-10-26T00:00:00",
"dateReserved": "2022-10-26T00:00:00",
"dateUpdated": "2024-08-03T01:20:57.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8167 (GCVE-0-2020-8167)
Vulnerability from cvelistv5
Published
2020-06-19 17:16
Modified
2024-08-04 09:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF) ()
Summary
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
References
| ▼ | URL | Tags |
|---|---|---|
| https://hackerone.com/reports/189878 | x_refsource_MISC | |
| https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0 | x_refsource_MISC | |
| https://www.debian.org/security/2020/dsa-4766 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | http://github.com/rails/rails |
Version: Fixed in 5.2.4.3, 6.0.3.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.785Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/189878"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0"
},
{
"name": "DSA-4766",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "http://github.com/rails/rails",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 5.2.4.3, 6.0.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CSRF vulnerability exists in rails \u003c= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF) (CWE-352)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T11:06:22",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/189878"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0"
},
{
"name": "DSA-4766",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4766"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8167",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http://github.com/rails/rails",
"version": {
"version_data": [
{
"version_value": "Fixed in 5.2.4.3, 6.0.3.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CSRF vulnerability exists in rails \u003c= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) (CWE-352)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/189878",
"refsource": "MISC",
"url": "https://hackerone.com/reports/189878"
},
{
"name": "https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0",
"refsource": "MISC",
"url": "https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0"
},
{
"name": "DSA-4766",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4766"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8167",
"datePublished": "2020-06-19T17:16:06",
"dateReserved": "2020-01-28T00:00:00",
"dateUpdated": "2024-08-04T09:48:25.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4319 (GCVE-0-2011-4319)
Vulnerability from cvelistv5
Published
2011-11-28 11:00
Modified
2024-08-07 00:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/77199 | vdb-entry, x_refsource_OSVDB | |
| http://openwall.com/lists/oss-security/2011/11/18/8 | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released | x_refsource_CONFIRM | |
| http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1 | x_refsource_CONFIRM | |
| http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id?1026342 | vdb-entry, x_refsource_SECTRACK | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/71364 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/50722 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:01:51.607Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "77199",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/77199"
},
{
"name": "[oss-security] 20111118 Re: CVE Request -- Ruby on Rails / rubygem-actionpack -- XSS in the \u0027translate\u0027 helper method",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/11/18/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1"
},
{
"name": "[rubyonrails-security] 20111118 XSS vulnerability in the translate helper method in Ruby on Rails",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source\u0026output=gplain"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released"
},
{
"name": "1026342",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1026342"
},
{
"name": "rubyonrails-translatehelper-xss(71364)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364"
},
{
"name": "50722",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/50722"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-11-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an \"html\" substring."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "77199",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/77199"
},
{
"name": "[oss-security] 20111118 Re: CVE Request -- Ruby on Rails / rubygem-actionpack -- XSS in the \u0027translate\u0027 helper method",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/11/18/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1"
},
{
"name": "[rubyonrails-security] 20111118 XSS vulnerability in the translate helper method in Ruby on Rails",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source\u0026output=gplain"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released"
},
{
"name": "1026342",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1026342"
},
{
"name": "rubyonrails-translatehelper-xss(71364)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364"
},
{
"name": "50722",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/50722"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-4319",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an \"html\" substring."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "77199",
"refsource": "OSVDB",
"url": "http://osvdb.org/77199"
},
{
"name": "[oss-security] 20111118 Re: CVE Request -- Ruby on Rails / rubygem-actionpack -- XSS in the \u0027translate\u0027 helper method",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/11/18/8"
},
{
"name": "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released"
},
{
"name": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1",
"refsource": "CONFIRM",
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1"
},
{
"name": "[rubyonrails-security] 20111118 XSS vulnerability in the translate helper method in Ruby on Rails",
"refsource": "MLIST",
"url": "http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source\u0026output=gplain"
},
{
"name": "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released"
},
{
"name": "1026342",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1026342"
},
{
"name": "rubyonrails-translatehelper-xss(71364)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71364"
},
{
"name": "50722",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/50722"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-4319",
"datePublished": "2011-11-28T11:00:00",
"dateReserved": "2011-11-04T00:00:00",
"dateUpdated": "2024-08-07T00:01:51.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-2931 (GCVE-0-2011-2931)
Vulnerability from cvelistv5
Published
2011-08-29 18:00
Modified
2024-08-06 23:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:15:31.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[rubyonrails-security] 20110816 XSS Vulnerability in strip_tags helper",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source\u0026output=gplain"
},
{
"name": "[oss-security] 20110817 CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"name": "FEDORA-2011-11386",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"name": "FEDORA-2011-11567",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731436"
},
{
"name": "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"name": "DSA-2301",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"name": "45921",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/45921"
},
{
"name": "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"name": "FEDORA-2011-11572",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-08-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-09-23T09:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[rubyonrails-security] 20110816 XSS Vulnerability in strip_tags helper",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source\u0026output=gplain"
},
{
"name": "[oss-security] 20110817 CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"name": "FEDORA-2011-11386",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"name": "FEDORA-2011-11567",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731436"
},
{
"name": "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"name": "DSA-2301",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"name": "45921",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/45921"
},
{
"name": "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"name": "FEDORA-2011-11572",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-2931",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20110816 XSS Vulnerability in strip_tags helper",
"refsource": "MLIST",
"url": "http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source\u0026output=gplain"
},
{
"name": "[oss-security] 20110817 CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/17/1"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/13"
},
{
"name": "FEDORA-2011-11386",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html"
},
{
"name": "FEDORA-2011-11567",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=731436",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=731436"
},
{
"name": "[oss-security] 20110819 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/19/11"
},
{
"name": "DSA-2301",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"name": "45921",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/45921"
},
{
"name": "[oss-security] 20110820 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/20/1"
},
{
"name": "FEDORA-2011-11572",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/14"
},
{
"name": "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a"
},
{
"name": "[oss-security] 20110822 Re: CVE request: ruby on rails flaws (4)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/08/22/5"
},
{
"name": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-2931",
"datePublished": "2011-08-29T18:00:00",
"dateReserved": "2011-07-27T00:00:00",
"dateUpdated": "2024-08-06T23:15:31.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26143 (GCVE-0-2024-26143)
Vulnerability from cvelistv5
Published
2024-02-27 15:33
Modified
2025-02-13 17:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T18:24:49.795683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:16.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4"
},
{
"name": "https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc"
},
{
"name": "https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e"
},
{
"name": "https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rails",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.0.8.1"
},
{
"status": "affected",
"version": "\u003e= 7.1.0, \u003c 7.1.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in \"_html\", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T16:11:24.075Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4"
},
{
"name": "https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc"
},
{
"name": "https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e"
},
{
"name": "https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947",
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240510-0004/"
}
],
"source": {
"advisory": "GHSA-9822-6m93-xqf4",
"discovery": "UNKNOWN"
},
"title": "Rails Possible XSS Vulnerability in Action Controller"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26143",
"datePublished": "2024-02-27T15:33:54.643Z",
"dateReserved": "2024-02-14T17:40:03.688Z",
"dateUpdated": "2025-02-13T17:41:06.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-3463 (GCVE-0-2012-3463)
Vulnerability from cvelistv5
Published
2012-08-10 10:00
Modified
2024-08-06 20:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.
References
| ▼ | URL | Tags |
|---|---|---|
| http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ | x_refsource_CONFIRM | |
| https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:12.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/"
},
{
"name": "[rubyonrails-security] 20120810 Ruby on Rails Potential XSS Vulnerability in select_tag prompt",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source\u0026output=gplain"
},
{
"name": "RHSA-2013:0154",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-08-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-02-07T10:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/"
},
{
"name": "[rubyonrails-security] 20120810 Ruby on Rails Potential XSS Vulnerability in select_tag prompt",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source\u0026output=gplain"
},
{
"name": "RHSA-2013:0154",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-3463",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/"
},
{
"name": "[rubyonrails-security] 20120810 Ruby on Rails Potential XSS Vulnerability in select_tag prompt",
"refsource": "MLIST",
"url": "https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source\u0026output=gplain"
},
{
"name": "RHSA-2013:0154",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3463",
"datePublished": "2012-08-10T10:00:00",
"dateReserved": "2012-06-14T00:00:00",
"dateUpdated": "2024-08-06T20:05:12.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0080 (GCVE-0-2014-0080)
Vulnerability from cvelistv5
Published
2014-02-20 11:00
Modified
2024-08-06 09:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2014/02/18/9 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:05:37.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[rubyonrails-security] 20140218 Data Injection Vulnerability in Active Record (CVE-2014-0080)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
},
{
"name": "[oss-security] 20140218 Data Injection Vulnerability in Active Record (CVE-2014-0080)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/02/18/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute \"add data\" SQL commands via vectors involving \\ (backslash) characters that are not properly handled in operations on array columns."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-02-20T04:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[rubyonrails-security] 20140218 Data Injection Vulnerability in Active Record (CVE-2014-0080)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
},
{
"name": "[oss-security] 20140218 Data Injection Vulnerability in Active Record (CVE-2014-0080)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/02/18/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0080",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute \"add data\" SQL commands via vectors involving \\ (backslash) characters that are not properly handled in operations on array columns."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20140218 Data Injection Vulnerability in Active Record (CVE-2014-0080)",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
},
{
"name": "[oss-security] 20140218 Data Injection Vulnerability in Active Record (CVE-2014-0080)",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/02/18/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-0080",
"datePublished": "2014-02-20T11:00:00",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-08-06T09:05:37.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-3299 (GCVE-0-2010-3299)
Vulnerability from cvelistv5
Published
2019-11-12 20:55
Modified
2024-08-07 03:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- on rails: padding oracle attack
Summary
The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2010-3299 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/cve-2010-3299 | x_refsource_MISC | |
| https://seclists.org/oss-sec/2010/q3/357 | mailing-list, x_refsource_MLIST | |
| https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:03:18.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-3299"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2010-3299"
},
{
"name": "[oss-security] 20100914 Re: CVE request: padding oracle attack: ruby on rails 2.3, owasp esapi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2010/q3/357"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rails",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "on rails: padding oracle attack",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-12T20:55:04",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-3299"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2010-3299"
},
{
"name": "[oss-security] 20100914 Re: CVE request: padding oracle attack: ruby on rails 2.3, owasp esapi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://seclists.org/oss-sec/2010/q3/357"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-3299",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "rails",
"version": {
"version_data": [
{
"version_value": "2.3"
}
]
}
}
]
},
"vendor_name": "rails"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "on rails: padding oracle attack"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2010-3299",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-3299"
},
{
"name": "https://access.redhat.com/security/cve/cve-2010-3299",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2010-3299"
},
{
"name": "[oss-security] 20100914 Re: CVE request: padding oracle attack: ruby on rails 2.3, owasp esapi",
"refsource": "MLIST",
"url": "https://seclists.org/oss-sec/2010/q3/357"
},
{
"name": "https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf",
"refsource": "MISC",
"url": "https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-3299",
"datePublished": "2019-11-12T20:55:04",
"dateReserved": "2010-09-13T00:00:00",
"dateUpdated": "2024-08-07T03:03:18.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22795 (GCVE-0-2023-22795)
Vulnerability from cvelistv5
Published
2023-02-09 00:00
Modified
2024-08-02 10:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Denial of Service ()
Summary
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | https://github.com/rails/rails |
Version: 6.1.7.1, 7.0.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"name": "DSA-5372",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/rails/rails",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.1.7.1, 7.0.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T14:06:23.429831",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"name": "DSA-5372",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2023-22795",
"datePublished": "2023-02-09T00:00:00",
"dateReserved": "2023-01-06T00:00:00",
"dateUpdated": "2024-08-02T10:20:30.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5418 (GCVE-0-2019-5418)
Vulnerability from cvelistv5
Published
2019-03-27 13:38
Modified
2025-07-07 22:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Path Traversal ()
Summary
There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rails | https://github.com/rails/rails |
Version: 5.2.2.1 Version: 5.1.6.2 Version: 5.0.7.2 Version: 4.2.11.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:54:53.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "46585",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46585/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"
},
{
"name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q"
},
{
"name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
},
{
"name": "RHSA-2019:0796",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0796"
},
{
"name": "openSUSE-SU-2019:1344",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
},
{
"name": "FEDORA-2019-1cfe24db5c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"name": "RHSA-2019:1149",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1149"
},
{
"name": "RHSA-2019:1147",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1147"
},
{
"name": "RHSA-2019:1289",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1289"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2019-5418",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T17:20:59.773158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-07-07",
"reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T22:20:23.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"url": "https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-07T00:00:00+00:00",
"value": "CVE-2019-5418 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/rails/rails",
"vendor": "Rails",
"versions": [
{
"status": "affected",
"version": "5.2.2.1"
},
{
"status": "affected",
"version": "5.1.6.2"
},
{
"status": "affected",
"version": "5.0.7.2"
},
{
"status": "affected",
"version": "4.2.11.1"
}
]
}
],
"datePublic": "2019-03-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "There is a File Content Disclosure vulnerability in Action View \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system\u0027s filesystem to be exposed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-11T18:33:30.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"name": "46585",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46585/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"
},
{
"name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q"
},
{
"name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
},
{
"name": "RHSA-2019:0796",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0796"
},
{
"name": "openSUSE-SU-2019:1344",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
},
{
"name": "FEDORA-2019-1cfe24db5c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"name": "RHSA-2019:1149",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1149"
},
{
"name": "RHSA-2019:1147",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1147"
},
{
"name": "RHSA-2019:1289",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1289"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-5418",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/rails/rails",
"version": {
"version_data": [
{
"version_value": "5.2.2.1"
},
{
"version_value": "5.1.6.2"
},
{
"version_value": "5.0.7.2"
},
{
"version_value": "4.2.11.1"
}
]
}
}
]
},
"vendor_name": "Rails"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a File Content Disclosure vulnerability in Action View \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system\u0027s filesystem to be exposed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "46585",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46585/"
},
{
"name": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"
},
{
"name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
},
{
"name": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/",
"refsource": "CONFIRM",
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"name": "https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q",
"refsource": "CONFIRM",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q"
},
{
"name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
},
{
"name": "RHSA-2019:0796",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0796"
},
{
"name": "openSUSE-SU-2019:1344",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
},
{
"name": "FEDORA-2019-1cfe24db5c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"name": "RHSA-2019:1149",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1149"
},
{
"name": "RHSA-2019:1147",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1147"
},
{
"name": "RHSA-2019:1289",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1289"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-5418",
"datePublished": "2019-03-27T13:38:58.000Z",
"dateReserved": "2019-01-04T00:00:00.000Z",
"dateUpdated": "2025-07-07T22:20:23.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0082 (GCVE-0-2014-0082)
Vulnerability from cvelistv5
Published
2014-02-20 11:00
Modified
2024-08-06 09:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2014-0215.html | vendor-advisory, x_refsource_REDHAT | |
| http://secunia.com/advisories/57836 | third-party-advisory, x_refsource_SECUNIA | |
| http://rhn.redhat.com/errata/RHSA-2014-0306.html | vendor-advisory, x_refsource_REDHAT | |
| https://puppet.com/security/cve/cve-2014-0082 | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html | vendor-advisory, x_refsource_SUSE | |
| http://secunia.com/advisories/57376 | third-party-advisory, x_refsource_SECUNIA | |
| http://openwall.com/lists/oss-security/2014/02/18/10 | mailing-list, x_refsource_MLIST | |
| http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:05:37.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[rubyonrails-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ"
},
{
"name": "RHSA-2014:0215",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0215.html"
},
{
"name": "57836",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57836"
},
{
"name": "RHSA-2014:0306",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0306.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://puppet.com/security/cve/cve-2014-0082"
},
{
"name": "openSUSE-SU-2014:0295",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"
},
{
"name": "57376",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57376"
},
{
"name": "[oss-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/02/18/10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-08T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[rubyonrails-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ"
},
{
"name": "RHSA-2014:0215",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0215.html"
},
{
"name": "57836",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57836"
},
{
"name": "RHSA-2014:0306",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0306.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://puppet.com/security/cve/cve-2014-0082"
},
{
"name": "openSUSE-SU-2014:0295",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"
},
{
"name": "57376",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57376"
},
{
"name": "[oss-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/02/18/10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0082",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ"
},
{
"name": "RHSA-2014:0215",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0215.html"
},
{
"name": "57836",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57836"
},
{
"name": "RHSA-2014:0306",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0306.html"
},
{
"name": "https://puppet.com/security/cve/cve-2014-0082",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2014-0082"
},
{
"name": "openSUSE-SU-2014:0295",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html"
},
{
"name": "57376",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57376"
},
{
"name": "[oss-security] 20140218 Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/02/18/10"
},
{
"name": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/",
"refsource": "CONFIRM",
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-0082",
"datePublished": "2014-02-20T11:00:00",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-08-06T09:05:37.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-4214 (GCVE-0-2009-4214)
Vulnerability from cvelistv5
Published
2009-12-07 17:00
Modified
2024-08-07 06:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:54:09.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[rubyonrails-security] 20091127 XSS Weakness in strip_tags",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"
},
{
"name": "37446",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/37446"
},
{
"name": "ADV-2009-3352",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/3352"
},
{
"name": "DSA-2301",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"name": "APPLE-SA-2010-03-29-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released"
},
{
"name": "37142",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/37142"
},
{
"name": "DSA-2260",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2011/dsa-2260"
},
{
"name": "[oss-security] 20091127 CVE request: ruby on rails XSS Weakness in strip_tags",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2009/11/27/2"
},
{
"name": "SUSE-SR:2010:006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://support.apple.com/kb/HT4077"
},
{
"name": "1023245",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1023245"
},
{
"name": "38915",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/38915"
},
{
"name": "[oss-security] 20091208 Re: CVE request: ruby on rails XSS Weakness in strip_tags",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2009/12/08/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-11-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-12-17T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[rubyonrails-security] 20091127 XSS Weakness in strip_tags",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"
},
{
"name": "37446",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/37446"
},
{
"name": "ADV-2009-3352",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/3352"
},
{
"name": "DSA-2301",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"name": "APPLE-SA-2010-03-29-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released"
},
{
"name": "37142",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/37142"
},
{
"name": "DSA-2260",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2011/dsa-2260"
},
{
"name": "[oss-security] 20091127 CVE request: ruby on rails XSS Weakness in strip_tags",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2009/11/27/2"
},
{
"name": "SUSE-SR:2010:006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://support.apple.com/kb/HT4077"
},
{
"name": "1023245",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1023245"
},
{
"name": "38915",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/38915"
},
{
"name": "[oss-security] 20091208 Re: CVE request: ruby on rails XSS Weakness in strip_tags",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2009/12/08/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-4214",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20091127 XSS Weakness in strip_tags",
"refsource": "MLIST",
"url": "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"
},
{
"name": "37446",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/37446"
},
{
"name": "ADV-2009-3352",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/3352"
},
{
"name": "DSA-2301",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2011/dsa-2301"
},
{
"name": "APPLE-SA-2010-03-29-1",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"name": "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released"
},
{
"name": "37142",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/37142"
},
{
"name": "DSA-2260",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2011/dsa-2260"
},
{
"name": "[oss-security] 20091127 CVE request: ruby on rails XSS Weakness in strip_tags",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2009/11/27/2"
},
{
"name": "SUSE-SR:2010:006",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html"
},
{
"name": "http://support.apple.com/kb/HT4077",
"refsource": "CONFIRM",
"url": "http://support.apple.com/kb/HT4077"
},
{
"name": "1023245",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1023245"
},
{
"name": "38915",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/38915"
},
{
"name": "[oss-security] 20091208 Re: CVE request: ruby on rails XSS Weakness in strip_tags",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2009/12/08/3"
},
{
"name": "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5",
"refsource": "CONFIRM",
"url": "http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-4214",
"datePublished": "2009-12-07T17:00:00",
"dateReserved": "2009-12-07T00:00:00",
"dateUpdated": "2024-08-07T06:54:09.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-17916 (GCVE-0-2017-17916)
Vulnerability from cvelistv5
Published
2017-12-29 16:00
Modified
2024-08-05 21:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
References
| ▼ | URL | Tags |
|---|---|---|
| https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:49.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the \u0027find_by\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027name\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-01T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17916",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** SQL injection vulnerability in the \u0027find_by\u0027 method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \u0027name\u0027 parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/",
"refsource": "MISC",
"url": "https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17916",
"datePublished": "2017-12-29T16:00:00",
"dateReserved": "2017-12-26T00:00:00",
"dateUpdated": "2024-08-05T21:06:49.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6415 (GCVE-0-2013-6415)
Vulnerability from cvelistv5
Published
2013-12-07 00:00
Modified
2024-08-06 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2014:0008",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://puppet.com/security/cve/cve-2013-6415"
},
{
"name": "openSUSE-SU-2014:0019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"name": "openSUSE-SU-2014:0009",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1905",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html"
},
{
"name": "openSUSE-SU-2013:1907",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2013:1904",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6415] XSS Vulnerability in number_to_currency",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2014:1863",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "RHSA-2013:1794",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "64077",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/64077"
},
{
"name": "56093",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/56093"
},
{
"name": "DSA-2888",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2888"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-12-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-08T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2014:0008",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://puppet.com/security/cve/cve-2013-6415"
},
{
"name": "openSUSE-SU-2014:0019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"name": "openSUSE-SU-2014:0009",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1905",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html"
},
{
"name": "openSUSE-SU-2013:1907",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2013:1904",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6415] XSS Vulnerability in number_to_currency",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2014:1863",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "RHSA-2013:1794",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "64077",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/64077"
},
{
"name": "56093",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/56093"
},
{
"name": "DSA-2888",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2888"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6415",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2014:0008",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "https://puppet.com/security/cve/cve-2013-6415",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2013-6415"
},
{
"name": "openSUSE-SU-2014:0019",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1905",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html"
},
{
"name": "openSUSE-SU-2013:1907",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2013:1904",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6415] XSS Vulnerability in number_to_currency",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"
},
{
"name": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2014:1863",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "RHSA-2013:1794",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "64077",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64077"
},
{
"name": "56093",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/56093"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2888"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6415",
"datePublished": "2013-12-07T00:00:00",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-2098 (GCVE-0-2016-2098)
Vulnerability from cvelistv5
Published
2016-04-07 23:00
Modified
2024-08-05 23:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:17:50.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "SUSE-SU-2016:0867",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
},
{
"name": "SUSE-SU-2016:0967",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
},
{
"name": "DSA-3509",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3509"
},
{
"name": "83725",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/83725"
},
{
"name": "1035122",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035122"
},
{
"name": "40086",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40086/"
},
{
"name": "SUSE-SU-2016:0854",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
},
{
"name": "openSUSE-SU-2016:0790",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "openSUSE-SU-2016:0835",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
},
{
"name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-02-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-02T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "SUSE-SU-2016:0867",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
},
{
"name": "SUSE-SU-2016:0967",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
},
{
"name": "DSA-3509",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3509"
},
{
"name": "83725",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/83725"
},
{
"name": "1035122",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1035122"
},
{
"name": "40086",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40086/"
},
{
"name": "SUSE-SU-2016:0854",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
},
{
"name": "openSUSE-SU-2016:0790",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "openSUSE-SU-2016:0835",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
},
{
"name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-2098",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "SUSE-SU-2016:0867",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html"
},
{
"name": "SUSE-SU-2016:0967",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html"
},
{
"name": "DSA-3509",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3509"
},
{
"name": "83725",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/83725"
},
{
"name": "1035122",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1035122"
},
{
"name": "40086",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40086/"
},
{
"name": "SUSE-SU-2016:0854",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html"
},
{
"name": "openSUSE-SU-2016:0790",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "openSUSE-SU-2016:0835",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html"
},
{
"name": "[ruby-security-ann] 20160229 [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ"
},
{
"name": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-2098",
"datePublished": "2016-04-07T23:00:00",
"dateReserved": "2016-01-29T00:00:00",
"dateUpdated": "2024-08-05T23:17:50.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-3424 (GCVE-0-2012-3424)
Vulnerability from cvelistv5
Published
2012-08-08 10:00
Modified
2024-08-06 20:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/ | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html | vendor-advisory, x_refsource_SUSE | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:12.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[rubyonrails-security] 20120726 Ruby on Rails DoS Vulnerability in authenticate_or_request_with_http_digest (CVE-2012-3424)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en\u0026dmode=source\u0026output=gplain"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/"
},
{
"name": "openSUSE-SU-2012:1066",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"name": "RHSA-2013:0154",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-11-06T10:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[rubyonrails-security] 20120726 Ruby on Rails DoS Vulnerability in authenticate_or_request_with_http_digest (CVE-2012-3424)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en\u0026dmode=source\u0026output=gplain"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/"
},
{
"name": "openSUSE-SU-2012:1066",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"name": "RHSA-2013:0154",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-3424",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20120726 Ruby on Rails DoS Vulnerability in authenticate_or_request_with_http_digest (CVE-2012-3424)",
"refsource": "MLIST",
"url": "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en\u0026dmode=source\u0026output=gplain"
},
{
"name": "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/"
},
{
"name": "openSUSE-SU-2012:1066",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html"
},
{
"name": "RHSA-2013:0154",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0154.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3424",
"datePublished": "2012-08-08T10:00:00",
"dateReserved": "2012-06-14T00:00:00",
"dateUpdated": "2024-08-06T20:05:12.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3514 (GCVE-0-2014-3514)
Vulnerability from cvelistv5
Published
2014-08-20 10:00
Modified
2024-08-06 10:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/60347 | third-party-advisory, x_refsource_SECUNIA | |
| http://openwall.com/lists/oss-security/2014/08/18/10 | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2014-1102.html | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:43:06.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[rubyonrails-security] 20140818 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
},
{
"name": "60347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/60347"
},
{
"name": "[oss-security] 20140814 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/08/18/10"
},
{
"name": "RHSA-2014:1102",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-08-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-04T17:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[rubyonrails-security] 20140818 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
},
{
"name": "60347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/60347"
},
{
"name": "[oss-security] 20140814 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/08/18/10"
},
{
"name": "RHSA-2014:1102",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-3514",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[rubyonrails-security] 20140818 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
},
{
"name": "60347",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/60347"
},
{
"name": "[oss-security] 20140814 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/08/18/10"
},
{
"name": "RHSA-2014:1102",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-3514",
"datePublished": "2014-08-20T10:00:00",
"dateReserved": "2014-05-14T00:00:00",
"dateUpdated": "2024-08-06T10:43:06.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6496 (GCVE-0-2012-6496)
Vulnerability from cvelistv5
Published
2013-01-04 02:00
Modified
2024-08-06 21:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=889649 | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2013-0155.html | vendor-advisory, x_refsource_REDHAT | |
| http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2013-0220.html | vendor-advisory, x_refsource_REDHAT | |
| http://security.gentoo.org/glsa/glsa-201401-22.xml | vendor-advisory, x_refsource_GENTOO | |
| http://rhn.redhat.com/errata/RHSA-2013-0154.html | vendor-advisory, x_refsource_REDHAT | |
| https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/57084 | vdb-entry, x_refsource_BID | |
| http://rhn.redhat.com/errata/RHSA-2013-0544.html | vendor-advisory, x_refsource_REDHAT |