gsd-2015-3224
Vulnerability from gsd
Modified
2015-06-16 00:00
Details
Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default). Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved. All affected users should either upgrade or use one of the work arounds immediately. To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile.
Aliases
Aliases
CVE-2015-3224


To clipboard 

{
  "GSD": {
    "alias": "CVE-2015-3224",
    "description": "request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client\u0027s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.",
    "id": "GSD-2015-3224",
    "references": [
      "https://www.suse.com/security/cve/CVE-2015-3224.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "web-console",
            "purl": "pkg:gem/web-console"
          }
        }
      ],
      "aliases": [
        "CVE-2015-3224",
        "GHSA-67j6-xv27-w6ww"
      ],
      "details": "Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default).\n\nUsers whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved.\n\nAll affected users should either upgrade or use one of the work arounds immediately.\n\nTo work around this issue, turn off web-console in all environments, by removing/commenting it from the application\u0027s Gemfile.\n",
      "id": "GSD-2015-3224",
      "modified": "2015-06-16T00:00:00.000Z",
      "published": "2015-06-16T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw"
        }
      ],
      "schema_version": "1.4.0",
      "summary": "IP whitelist bypass in Web Console"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2015-3224",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client\u0027s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "75237",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/75237"
          },
          {
            "name": "[rubyonrails-security] 20150616 [CVE-2015-3224] IP whitelist bypass in Web Console",
            "refsource": "MLIST",
            "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ"
          },
          {
            "name": "[oss-security] 20150616 [CVE-2015-3224] IP whitelist bypass in Web Console",
            "refsource": "MLIST",
            "url": "http://openwall.com/lists/oss-security/2015/06/16/18"
          },
          {
            "name": "FEDORA-2015-10128",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html"
          },
          {
            "name": "https://github.com/rails/web-console/blob/master/CHANGELOG.markdown",
            "refsource": "CONFIRM",
            "url": "https://github.com/rails/web-console/blob/master/CHANGELOG.markdown"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2015-3224",
      "date": "2015-06-16",
      "description": "Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default).\n\nUsers whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved.\n\nAll affected users should either upgrade or use one of the work arounds immediately.\n\nTo work around this issue, turn off web-console in all environments, by removing/commenting it from the application\u0027s Gemfile.\n",
      "gem": "web-console",
      "ghsa": "67j6-xv27-w6ww",
      "patched_versions": [
        "\u003e= 2.1.3"
      ],
      "title": "IP whitelist bypass in Web Console",
      "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.1.3",
          "affected_versions": "All versions before 2.1.3",
          "credit": "Joernchen of Phenoelit and Ben Murphy",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-284",
            "CWE-937"
          ],
          "date": "2016-12-02",
          "description": "Specially crafted remote requests can spoof their origin, bypassing the IP allowlist, in any environment where Web Console is enabled (development and test, by default).To work around this issue, turn off web-console in all environments, by removing/commenting it from the application\u0027s Gemfile.",
          "fixed_versions": [
            "2.1.3"
          ],
          "identifier": "CVE-2015-3224",
          "identifiers": [
            "CVE-2015-3224"
          ],
          "package_slug": "gem/web-console",
          "pubdate": "2015-07-26",
          "solution": "Upgrade to latest, apply patch or use workaround; see provided link.",
          "title": "Permissive List of Allowed Inputs",
          "urls": [
            "https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw"
          ],
          "uuid": "9d2cb4f0-86a2-4f60-8ba7-9c016b7ead55"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:web_console:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.1.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-3224"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client\u0027s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[rubyonrails-security] 20150616 [CVE-2015-3224] IP whitelist bypass in Web Console",
              "refsource": "MLIST",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ"
            },
            {
              "name": "[oss-security] 20150616 [CVE-2015-3224] IP whitelist bypass in Web Console",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://openwall.com/lists/oss-security/2015/06/16/18"
            },
            {
              "name": "https://github.com/rails/web-console/blob/master/CHANGELOG.markdown",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/rails/web-console/blob/master/CHANGELOG.markdown"
            },
            {
              "name": "FEDORA-2015-10128",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html"
            },
            {
              "name": "75237",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/75237"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2016-12-03T03:08Z",
      "publishedDate": "2015-07-26T22:59Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.