Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
Typedeb
Namespacedebian
Namerails
Version2:6.0.3.7+dfsg-2+deb11u2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2:7.2.3.1+dfsg-1
Latest_non_vulnerable_version2:7.2.3.1+dfsg-1
Affected_by_vulnerabilities
0
url VCID-3hur-esmy-x3hr
vulnerability_id VCID-3hur-esmy-x3hr
summary 
Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.

Impact
------

Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2

Credits
-------

Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47888.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47888.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47888
reference_id
reference_type
scores
0
value 0.00476
scoring_system epss
scoring_elements 0.64924
published_at 2026-04-26T12:55:00Z
1
value 0.00476
scoring_system epss
scoring_elements 0.64911
published_at 2026-04-24T12:55:00Z
2
value 0.00517
scoring_system epss
scoring_elements 0.66721
published_at 2026-04-16T12:55:00Z
3
value 0.00517
scoring_system epss
scoring_elements 0.66687
published_at 2026-04-13T12:55:00Z
4
value 0.00517
scoring_system epss
scoring_elements 0.66646
published_at 2026-04-07T12:55:00Z
5
value 0.00517
scoring_system epss
scoring_elements 0.66719
published_at 2026-04-21T12:55:00Z
6
value 0.00517
scoring_system epss
scoring_elements 0.66734
published_at 2026-04-18T12:55:00Z
7
value 0.00517
scoring_system epss
scoring_elements 0.66695
published_at 2026-04-08T12:55:00Z
8
value 0.00517
scoring_system epss
scoring_elements 0.66672
published_at 2026-04-04T12:55:00Z
9
value 0.00517
scoring_system epss
scoring_elements 0.66717
published_at 2026-04-12T12:55:00Z
10
value 0.00517
scoring_system epss
scoring_elements 0.6673
published_at 2026-04-11T12:55:00Z
11
value 0.00517
scoring_system epss
scoring_elements 0.6671
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47888
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47888
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47888
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319035
reference_id 2319035
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319035
9
reference_url https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
reference_id 4f4312b21a6448336de7c7ab0c4d94b378def468
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
10
reference_url https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
reference_id 727b0946c3cab04b825c039435eac963d4e91822
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
11
reference_url https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
reference_id ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47888
reference_id CVE-2024-47888
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-47888
13
reference_url https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
reference_id de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
14
reference_url https://github.com/advisories/GHSA-wwhv-wxv9-rpgw
reference_id GHSA-wwhv-wxv9-rpgw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wwhv-wxv9-rpgw
15
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2024-47888, GHSA-wwhv-wxv9-rpgw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3hur-esmy-x3hr
1
url VCID-4tzv-1t1b-t3g3
vulnerability_id VCID-4tzv-1t1b-t3g3
summary 
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
### Impact
`NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33169
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.0484
published_at 2026-04-04T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.04912
published_at 2026-04-09T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.04895
published_at 2026-04-08T12:55:00Z
3
value 0.00019
scoring_system epss
scoring_elements 0.04858
published_at 2026-04-07T12:55:00Z
4
value 0.00019
scoring_system epss
scoring_elements 0.04955
published_at 2026-04-21T12:55:00Z
5
value 0.00019
scoring_system epss
scoring_elements 0.04811
published_at 2026-04-18T12:55:00Z
6
value 0.00019
scoring_system epss
scoring_elements 0.04803
published_at 2026-04-16T12:55:00Z
7
value 0.00019
scoring_system epss
scoring_elements 0.04855
published_at 2026-04-13T12:55:00Z
8
value 0.00019
scoring_system epss
scoring_elements 0.04874
published_at 2026-04-12T12:55:00Z
9
value 0.00019
scoring_system epss
scoring_elements 0.04814
published_at 2026-04-02T12:55:00Z
10
value 0.00019
scoring_system epss
scoring_elements 0.04894
published_at 2026-04-11T12:55:00Z
11
value 0.0002
scoring_system epss
scoring_elements 0.0558
published_at 2026-04-24T12:55:00Z
12
value 0.0002
scoring_system epss
scoring_elements 0.05616
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33169
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33169
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
6
reference_url https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
7
reference_url https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33169
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33169
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450556
reference_id 2450556
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450556
15
reference_url https://github.com/advisories/GHSA-cg4j-q9v8-6v38
reference_id GHSA-cg4j-q9v8-6v38
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cg4j-q9v8-6v38
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
aliases CVE-2026-33169, GHSA-cg4j-q9v8-6v38
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4tzv-1t1b-t3g3
2
url VCID-5tky-d2en-u7c7
vulnerability_id VCID-5tky-d2en-u7c7
summary 
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
### Impact
`SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33170
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02183
published_at 2026-04-12T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02179
published_at 2026-04-13T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02222
published_at 2026-04-09T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02201
published_at 2026-04-08T12:55:00Z
4
value 0.00013
scoring_system epss
scoring_elements 0.02199
published_at 2026-04-11T12:55:00Z
5
value 0.00013
scoring_system epss
scoring_elements 0.02204
published_at 2026-04-04T12:55:00Z
6
value 0.00013
scoring_system epss
scoring_elements 0.022
published_at 2026-04-02T12:55:00Z
7
value 0.00013
scoring_system epss
scoring_elements 0.02255
published_at 2026-04-21T12:55:00Z
8
value 0.00013
scoring_system epss
scoring_elements 0.02169
published_at 2026-04-18T12:55:00Z
9
value 0.00013
scoring_system epss
scoring_elements 0.02157
published_at 2026-04-16T12:55:00Z
10
value 0.00014
scoring_system epss
scoring_elements 0.02804
published_at 2026-04-24T12:55:00Z
11
value 0.00014
scoring_system epss
scoring_elements 0.02791
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33170
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33170
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33170
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
6
reference_url https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
7
reference_url https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33170
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33170
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450543
reference_id 2450543
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450543
15
reference_url https://github.com/advisories/GHSA-89vf-4333-qx8v
reference_id GHSA-89vf-4333-qx8v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-89vf-4333-qx8v
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
aliases CVE-2026-33170, GHSA-89vf-4333-qx8v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5tky-d2en-u7c7
3
url VCID-6pxd-xsaw-tuer
vulnerability_id VCID-6pxd-xsaw-tuer
summary 
Active Support Possibly Discloses Locally Encrypted Files
There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-38037
reference_id
reference_type
scores
0
value 0.0007
scoring_system epss
scoring_elements 0.21274
published_at 2026-04-26T12:55:00Z
1
value 0.0007
scoring_system epss
scoring_elements 0.21275
published_at 2026-04-24T12:55:00Z
2
value 0.00076
scoring_system epss
scoring_elements 0.22911
published_at 2026-04-02T12:55:00Z
3
value 0.00076
scoring_system epss
scoring_elements 0.2277
published_at 2026-04-21T12:55:00Z
4
value 0.00076
scoring_system epss
scoring_elements 0.2281
published_at 2026-04-18T12:55:00Z
5
value 0.00076
scoring_system epss
scoring_elements 0.22876
published_at 2026-04-09T12:55:00Z
6
value 0.00076
scoring_system epss
scoring_elements 0.22823
published_at 2026-04-08T12:55:00Z
7
value 0.00076
scoring_system epss
scoring_elements 0.22747
published_at 2026-04-07T12:55:00Z
8
value 0.00076
scoring_system epss
scoring_elements 0.22954
published_at 2026-04-04T12:55:00Z
9
value 0.00076
scoring_system epss
scoring_elements 0.22816
published_at 2026-04-16T12:55:00Z
10
value 0.00076
scoring_system epss
scoring_elements 0.22803
published_at 2026-04-13T12:55:00Z
11
value 0.00076
scoring_system epss
scoring_elements 0.22859
published_at 2026-04-12T12:55:00Z
12
value 0.00076
scoring_system epss
scoring_elements 0.22896
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-38037
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38037
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38037
3
reference_url https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:35:42Z/
url https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
6
reference_url https://github.com/rails/rails/releases/tag/v7.0.7.1
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3
scoring_elements
1
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.7.1
7
reference_url https://security.netapp.com/advisory/ntap-20250214-0010
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250214-0010
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051057
reference_id 1051057
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051057
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2236261
reference_id 2236261
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2236261
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-38037
reference_id CVE-2023-38037
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-38037
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
reference_id CVE-2023-38037.YML
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
12
reference_url https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
reference_id GHSA-cr5q-6q9f-rq6q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
13
reference_url https://access.redhat.com/errata/RHSA-2023:7720
reference_id RHSA-2023:7720
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7720
14
reference_url https://access.redhat.com/errata/RHSA-2024:0268
reference_id RHSA-2024:0268
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0268
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2023-38037, GHSA-cr5q-6q9f-rq6q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6pxd-xsaw-tuer
4
url VCID-96qr-hdbp-p7ff
vulnerability_id VCID-96qr-hdbp-p7ff
summary 
Rails has a possible XSS vulnerability in its Action View tag helpers
### Impact
When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33168.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33168.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33168
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.06251
published_at 2026-04-12T12:55:00Z
1
value 0.00023
scoring_system epss
scoring_elements 0.06265
published_at 2026-04-09T12:55:00Z
2
value 0.00023
scoring_system epss
scoring_elements 0.06255
published_at 2026-04-11T12:55:00Z
3
value 0.00023
scoring_system epss
scoring_elements 0.06362
published_at 2026-04-21T12:55:00Z
4
value 0.00023
scoring_system epss
scoring_elements 0.06211
published_at 2026-04-18T12:55:00Z
5
value 0.00023
scoring_system epss
scoring_elements 0.06199
published_at 2026-04-16T12:55:00Z
6
value 0.00023
scoring_system epss
scoring_elements 0.06203
published_at 2026-04-04T12:55:00Z
7
value 0.00023
scoring_system epss
scoring_elements 0.06172
published_at 2026-04-02T12:55:00Z
8
value 0.00023
scoring_system epss
scoring_elements 0.06185
published_at 2026-04-07T12:55:00Z
9
value 0.00023
scoring_system epss
scoring_elements 0.06227
published_at 2026-04-08T12:55:00Z
10
value 0.00023
scoring_system epss
scoring_elements 0.06241
published_at 2026-04-13T12:55:00Z
11
value 0.00025
scoring_system epss
scoring_elements 0.07044
published_at 2026-04-24T12:55:00Z
12
value 0.00025
scoring_system epss
scoring_elements 0.07047
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33168
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33168
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33168
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
6
reference_url https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
7
reference_url https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33168
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33168
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450549
reference_id 2450549
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450549
15
reference_url https://github.com/advisories/GHSA-v55j-83pf-r9cq
reference_id GHSA-v55j-83pf-r9cq
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v55j-83pf-r9cq
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
aliases CVE-2026-33168, GHSA-v55j-83pf-r9cq
risk_score 2.5
exploitability 0.5
weighted_severity 4.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-96qr-hdbp-p7ff
5
url VCID-a6z9-5n6k-2kak
vulnerability_id VCID-a6z9-5n6k-2kak
summary 
Rails Active Storage has possible content type bypass via metadata in direct uploads
### Impact
Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a malicious direct-upload client could set these flags.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33173.json
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33173.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33173
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02296
published_at 2026-04-04T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02269
published_at 2026-04-16T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02285
published_at 2026-04-13T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02288
published_at 2026-04-12T12:55:00Z
4
value 0.00013
scoring_system epss
scoring_elements 0.02303
published_at 2026-04-11T12:55:00Z
5
value 0.00013
scoring_system epss
scoring_elements 0.02318
published_at 2026-04-09T12:55:00Z
6
value 0.00013
scoring_system epss
scoring_elements 0.02297
published_at 2026-04-08T12:55:00Z
7
value 0.00013
scoring_system epss
scoring_elements 0.0229
published_at 2026-04-02T12:55:00Z
8
value 0.00013
scoring_system epss
scoring_elements 0.02294
published_at 2026-04-07T12:55:00Z
9
value 0.00013
scoring_system epss
scoring_elements 0.02372
published_at 2026-04-21T12:55:00Z
10
value 0.00013
scoring_system epss
scoring_elements 0.02276
published_at 2026-04-18T12:55:00Z
11
value 0.00015
scoring_system epss
scoring_elements 0.02926
published_at 2026-04-24T12:55:00Z
12
value 0.00015
scoring_system epss
scoring_elements 0.02912
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33173
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33173
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33173
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
6
reference_url https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
7
reference_url https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33173
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33173
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450545
reference_id 2450545
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450545
15
reference_url https://github.com/advisories/GHSA-qcfx-2mfw-w4cg
reference_id GHSA-qcfx-2mfw-w4cg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qcfx-2mfw-w4cg
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
aliases CVE-2026-33173, GHSA-qcfx-2mfw-w4cg
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a6z9-5n6k-2kak
6
url VCID-ad6q-vtdf-syb6
vulnerability_id VCID-ad6q-vtdf-syb6
summary 
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
### Impact
Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33658.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33658.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33658
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.04028
published_at 2026-04-26T12:55:00Z
1
value 0.00017
scoring_system epss
scoring_elements 0.0402
published_at 2026-04-24T12:55:00Z
2
value 0.00017
scoring_system epss
scoring_elements 0.0401
published_at 2026-04-21T12:55:00Z
3
value 0.0005
scoring_system epss
scoring_elements 0.15667
published_at 2026-04-02T12:55:00Z
4
value 0.0005
scoring_system epss
scoring_elements 0.15731
published_at 2026-04-04T12:55:00Z
5
value 0.0005
scoring_system epss
scoring_elements 0.15534
published_at 2026-04-07T12:55:00Z
6
value 0.0005
scoring_system epss
scoring_elements 0.1562
published_at 2026-04-08T12:55:00Z
7
value 0.0005
scoring_system epss
scoring_elements 0.15677
published_at 2026-04-09T12:55:00Z
8
value 0.0005
scoring_system epss
scoring_elements 0.15644
published_at 2026-04-11T12:55:00Z
9
value 0.0005
scoring_system epss
scoring_elements 0.15609
published_at 2026-04-12T12:55:00Z
10
value 0.0005
scoring_system epss
scoring_elements 0.15546
published_at 2026-04-13T12:55:00Z
11
value 0.0005
scoring_system epss
scoring_elements 0.15472
published_at 2026-04-16T12:55:00Z
12
value 0.0005
scoring_system epss
scoring_elements 0.1548
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33658
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33658
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33658
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
5
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
6
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
7
reference_url https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33658
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33658
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2451983
reference_id 2451983
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2451983
12
reference_url https://github.com/advisories/GHSA-p9fm-f462-ggrg
reference_id GHSA-p9fm-f462-ggrg
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p9fm-f462-ggrg
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
aliases CVE-2026-33658, GHSA-p9fm-f462-ggrg
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ad6q-vtdf-syb6
7
url VCID-dd9p-x7k3-37ea
vulnerability_id VCID-dd9p-x7k3-37ea
summary 
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28362
reference_id
reference_type
scores
0
value 0.00207
scoring_system epss
scoring_elements 0.42932
published_at 2026-04-26T12:55:00Z
1
value 0.00224
scoring_system epss
scoring_elements 0.45155
published_at 2026-04-02T12:55:00Z
2
value 0.00224
scoring_system epss
scoring_elements 0.45177
published_at 2026-04-04T12:55:00Z
3
value 0.00224
scoring_system epss
scoring_elements 0.4512
published_at 2026-04-07T12:55:00Z
4
value 0.00224
scoring_system epss
scoring_elements 0.45173
published_at 2026-04-08T12:55:00Z
5
value 0.00224
scoring_system epss
scoring_elements 0.45174
published_at 2026-04-09T12:55:00Z
6
value 0.00224
scoring_system epss
scoring_elements 0.45194
published_at 2026-04-11T12:55:00Z
7
value 0.00224
scoring_system epss
scoring_elements 0.45162
published_at 2026-04-12T12:55:00Z
8
value 0.00224
scoring_system epss
scoring_elements 0.45164
published_at 2026-04-13T12:55:00Z
9
value 0.00224
scoring_system epss
scoring_elements 0.45215
published_at 2026-04-16T12:55:00Z
10
value 0.00224
scoring_system epss
scoring_elements 0.45208
published_at 2026-04-18T12:55:00Z
11
value 0.00224
scoring_system epss
scoring_elements 0.4516
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28362
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
3
reference_url https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3
scoring_elements
1
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
7
reference_url https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
8
reference_url https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
9
reference_url https://security.netapp.com/advisory/ntap-20250502-0009
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250502-0009
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
reference_id 1051058
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2217785
reference_id 2217785
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2217785
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28362
reference_id CVE-2023-28362
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28362
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
reference_id CVE-2023-28362.YML
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
14
reference_url https://github.com/advisories/GHSA-4g8v-vg43-wpgf
reference_id GHSA-4g8v-vg43-wpgf
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/advisories/GHSA-4g8v-vg43-wpgf
15
reference_url https://access.redhat.com/errata/RHSA-2023:7851
reference_id RHSA-2023:7851
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7851
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2023-28362, GHSA-4g8v-vg43-wpgf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dd9p-x7k3-37ea
8
url VCID-g3rk-djae-pkeh
vulnerability_id VCID-g3rk-djae-pkeh
summary 
Possible Content Security Policy bypass in Action Dispatch
There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper in Action Pack.

Impact
------
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits
-------
Thanks to [ryotak](https://hackerone.com/ryotak) for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-54133
reference_id
reference_type
scores
0
value 0.00122
scoring_system epss
scoring_elements 0.31424
published_at 2026-04-02T12:55:00Z
1
value 0.00122
scoring_system epss
scoring_elements 0.31466
published_at 2026-04-04T12:55:00Z
2
value 0.00175
scoring_system epss
scoring_elements 0.38694
published_at 2026-04-24T12:55:00Z
3
value 0.00175
scoring_system epss
scoring_elements 0.38671
published_at 2026-04-26T12:55:00Z
4
value 0.0019
scoring_system epss
scoring_elements 0.40883
published_at 2026-04-08T12:55:00Z
5
value 0.0019
scoring_system epss
scoring_elements 0.40787
published_at 2026-04-21T12:55:00Z
6
value 0.0019
scoring_system epss
scoring_elements 0.40865
published_at 2026-04-18T12:55:00Z
7
value 0.0019
scoring_system epss
scoring_elements 0.40895
published_at 2026-04-16T12:55:00Z
8
value 0.0019
scoring_system epss
scoring_elements 0.40852
published_at 2026-04-13T12:55:00Z
9
value 0.0019
scoring_system epss
scoring_elements 0.40871
published_at 2026-04-12T12:55:00Z
10
value 0.0019
scoring_system epss
scoring_elements 0.40906
published_at 2026-04-11T12:55:00Z
11
value 0.0019
scoring_system epss
scoring_elements 0.40834
published_at 2026-04-07T12:55:00Z
12
value 0.0019
scoring_system epss
scoring_elements 0.4089
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-54133
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
5
reference_url https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
6
reference_url https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
7
reference_url https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
8
reference_url https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-54133
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-54133
11
reference_url https://security.netapp.com/advisory/ntap-20250306-0010
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250306-0010
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
reference_id 1089755
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2331619
reference_id 2331619
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2331619
14
reference_url https://github.com/advisories/GHSA-vfm5-rmrh-j26v
reference_id GHSA-vfm5-rmrh-j26v
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vfm5-rmrh-j26v
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2024-54133, GHSA-vfm5-rmrh-j26v
risk_score 1.9
exploitability 0.5
weighted_severity 3.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g3rk-djae-pkeh
9
url VCID-hatd-vkun-13hj
vulnerability_id VCID-hatd-vkun-13hj
summary 
Rails Active Storage has possible glob injection in its DiskService
### Impact
Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33202.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33202.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33202
reference_id
reference_type
scores
0
value 0.00026
scoring_system epss
scoring_elements 0.0718
published_at 2026-04-08T12:55:00Z
1
value 0.00026
scoring_system epss
scoring_elements 0.0721
published_at 2026-04-09T12:55:00Z
2
value 0.00026
scoring_system epss
scoring_elements 0.07126
published_at 2026-04-07T12:55:00Z
3
value 0.00026
scoring_system epss
scoring_elements 0.07227
published_at 2026-04-21T12:55:00Z
4
value 0.00026
scoring_system epss
scoring_elements 0.07101
published_at 2026-04-18T12:55:00Z
5
value 0.00026
scoring_system epss
scoring_elements 0.07124
published_at 2026-04-16T12:55:00Z
6
value 0.00026
scoring_system epss
scoring_elements 0.07187
published_at 2026-04-13T12:55:00Z
7
value 0.00026
scoring_system epss
scoring_elements 0.07197
published_at 2026-04-12T12:55:00Z
8
value 0.00026
scoring_system epss
scoring_elements 0.07102
published_at 2026-04-02T12:55:00Z
9
value 0.00026
scoring_system epss
scoring_elements 0.07151
published_at 2026-04-04T12:55:00Z
10
value 0.00026
scoring_system epss
scoring_elements 0.07208
published_at 2026-04-11T12:55:00Z
11
value 0.00028
scoring_system epss
scoring_elements 0.07964
published_at 2026-04-26T12:55:00Z
12
value 0.00028
scoring_system epss
scoring_elements 0.07996
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33202
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33202
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33202
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c
6
reference_url https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf
7
reference_url https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33202
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33202
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450547
reference_id 2450547
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450547
15
reference_url https://github.com/advisories/GHSA-73f9-jhhh-hr5m
reference_id GHSA-73f9-jhhh-hr5m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-73f9-jhhh-hr5m
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
aliases CVE-2026-33202, GHSA-73f9-jhhh-hr5m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hatd-vkun-13hj
10
url VCID-n8r7-wthv-fqaj
vulnerability_id VCID-n8r7-wthv-fqaj
summary 
Active Record RCE bug with Serialized Columns
When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.

There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32224.json
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32224.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-32224
reference_id
reference_type
scores
0
value 0.01864
scoring_system epss
scoring_elements 0.8313
published_at 2026-04-26T12:55:00Z
1
value 0.01864
scoring_system epss
scoring_elements 0.83122
published_at 2026-04-24T12:55:00Z
2
value 0.01864
scoring_system epss
scoring_elements 0.831
published_at 2026-04-21T12:55:00Z
3
value 0.01864
scoring_system epss
scoring_elements 0.83009
published_at 2026-04-02T12:55:00Z
4
value 0.01864
scoring_system epss
scoring_elements 0.83052
published_at 2026-04-09T12:55:00Z
5
value 0.01864
scoring_system epss
scoring_elements 0.83045
published_at 2026-04-08T12:55:00Z
6
value 0.01864
scoring_system epss
scoring_elements 0.8302
published_at 2026-04-07T12:55:00Z
7
value 0.01864
scoring_system epss
scoring_elements 0.83023
published_at 2026-04-04T12:55:00Z
8
value 0.01864
scoring_system epss
scoring_elements 0.83096
published_at 2026-04-18T12:55:00Z
9
value 0.01864
scoring_system epss
scoring_elements 0.83057
published_at 2026-04-13T12:55:00Z
10
value 0.01864
scoring_system epss
scoring_elements 0.83062
published_at 2026-04-12T12:55:00Z
11
value 0.01864
scoring_system epss
scoring_elements 0.83068
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-32224
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224
3
reference_url https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-24T15:17:17Z/
url https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
6
reference_url https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a
7
reference_url https://github.com/rails/rails/commits/main/activerecord
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commits/main/activerecord
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-32224.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-32224.yml
9
reference_url https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-24T15:17:17Z/
url https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-32224
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-32224
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016140
reference_id 1016140
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016140
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2108997
reference_id 2108997
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2108997
13
reference_url https://security.gentoo.org/glsa/202408-24
reference_id GLSA-202408-24
reference_type
scores
url https://security.gentoo.org/glsa/202408-24
14
reference_url https://access.redhat.com/errata/RHSA-2023:0261
reference_id RHSA-2023:0261
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0261
15
reference_url https://access.redhat.com/errata/RHSA-2023:1151
reference_id RHSA-2023:1151
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1151
16
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2022-32224, GHSA-3hhc-qp5v-9p2j, GMS-2022-3029
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n8r7-wthv-fqaj
11
url VCID-qxe4-dubt-1kfp
vulnerability_id VCID-qxe4-dubt-1kfp
summary 
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
### Impact
When serving files through Active Storage's `Blobs::ProxyController`, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33174.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33174.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33174
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.05706
published_at 2026-04-08T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.05733
published_at 2026-04-09T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.05668
published_at 2026-04-07T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.05813
published_at 2026-04-21T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.05666
published_at 2026-04-18T12:55:00Z
5
value 0.00021
scoring_system epss
scoring_elements 0.05654
published_at 2026-04-16T12:55:00Z
6
value 0.00021
scoring_system epss
scoring_elements 0.05699
published_at 2026-04-13T12:55:00Z
7
value 0.00021
scoring_system epss
scoring_elements 0.05705
published_at 2026-04-12T12:55:00Z
8
value 0.00021
scoring_system epss
scoring_elements 0.05638
published_at 2026-04-02T12:55:00Z
9
value 0.00021
scoring_system epss
scoring_elements 0.05678
published_at 2026-04-04T12:55:00Z
10
value 0.00021
scoring_system epss
scoring_elements 0.05712
published_at 2026-04-11T12:55:00Z
11
value 0.00023
scoring_system epss
scoring_elements 0.06349
published_at 2026-04-26T12:55:00Z
12
value 0.00023
scoring_system epss
scoring_elements 0.06323
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33174
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33174
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33174
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
6
reference_url https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
7
reference_url https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33174
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33174
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450544
reference_id 2450544
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450544
15
reference_url https://github.com/advisories/GHSA-r46p-8f7g-vvvg
reference_id GHSA-r46p-8f7g-vvvg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r46p-8f7g-vvvg
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
aliases CVE-2026-33174, GHSA-r46p-8f7g-vvvg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qxe4-dubt-1kfp
12
url VCID-sarm-n22v-akcm
vulnerability_id VCID-sarm-n22v-akcm
summary 
Rails Active Support has a possible DoS vulnerability in its number helpers
### Impact
Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33176
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.05678
published_at 2026-04-04T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.05654
published_at 2026-04-16T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.05699
published_at 2026-04-13T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.05705
published_at 2026-04-12T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.05712
published_at 2026-04-11T12:55:00Z
5
value 0.00021
scoring_system epss
scoring_elements 0.05733
published_at 2026-04-09T12:55:00Z
6
value 0.00021
scoring_system epss
scoring_elements 0.05706
published_at 2026-04-08T12:55:00Z
7
value 0.00021
scoring_system epss
scoring_elements 0.05638
published_at 2026-04-02T12:55:00Z
8
value 0.00021
scoring_system epss
scoring_elements 0.05668
published_at 2026-04-07T12:55:00Z
9
value 0.00021
scoring_system epss
scoring_elements 0.05813
published_at 2026-04-21T12:55:00Z
10
value 0.00021
scoring_system epss
scoring_elements 0.05666
published_at 2026-04-18T12:55:00Z
11
value 0.00023
scoring_system epss
scoring_elements 0.06323
published_at 2026-04-24T12:55:00Z
12
value 0.00023
scoring_system epss
scoring_elements 0.06349
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33176
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33176
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33176
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
6
reference_url https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
7
reference_url https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33176
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33176
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450551
reference_id 2450551
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450551
15
reference_url https://github.com/advisories/GHSA-2j26-frm8-cmj9
reference_id GHSA-2j26-frm8-cmj9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2j26-frm8-cmj9
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
aliases CVE-2026-33176, GHSA-2j26-frm8-cmj9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sarm-n22v-akcm
13
url VCID-sfyc-jewr-wuf5
vulnerability_id VCID-sfyc-jewr-wuf5
summary 
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact
------

For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------
Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47887
reference_id
reference_type
scores
0
value 0.00273
scoring_system epss
scoring_elements 0.50669
published_at 2026-04-24T12:55:00Z
1
value 0.00273
scoring_system epss
scoring_elements 0.50676
published_at 2026-04-26T12:55:00Z
2
value 0.00296
scoring_system epss
scoring_elements 0.52964
published_at 2026-04-11T12:55:00Z
3
value 0.00296
scoring_system epss
scoring_elements 0.5296
published_at 2026-04-21T12:55:00Z
4
value 0.00296
scoring_system epss
scoring_elements 0.52976
published_at 2026-04-18T12:55:00Z
5
value 0.00296
scoring_system epss
scoring_elements 0.5297
published_at 2026-04-16T12:55:00Z
6
value 0.00296
scoring_system epss
scoring_elements 0.52932
published_at 2026-04-13T12:55:00Z
7
value 0.00296
scoring_system epss
scoring_elements 0.52948
published_at 2026-04-12T12:55:00Z
8
value 0.00296
scoring_system epss
scoring_elements 0.52876
published_at 2026-04-02T12:55:00Z
9
value 0.00296
scoring_system epss
scoring_elements 0.52901
published_at 2026-04-04T12:55:00Z
10
value 0.00296
scoring_system epss
scoring_elements 0.5287
published_at 2026-04-07T12:55:00Z
11
value 0.00296
scoring_system epss
scoring_elements 0.5292
published_at 2026-04-08T12:55:00Z
12
value 0.00296
scoring_system epss
scoring_elements 0.52914
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47887
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319034
reference_id 2319034
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319034
9
reference_url https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049
reference_id 56b2fc3302836405b496e196a8d5fc0195e55049
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049
10
reference_url https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a
reference_id 7c1398854d51f9bb193fb79f226647351133d08a
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a
11
reference_url https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
reference_id 8e057db25bff1dc7a98e9ae72e0083825b9ac545
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47887
reference_id CVE-2024-47887
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-47887
13
reference_url https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
reference_id f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
14
reference_url https://github.com/advisories/GHSA-vfg9-r3fq-jvx4
reference_id GHSA-vfg9-r3fq-jvx4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vfg9-r3fq-jvx4
15
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2024-47887, GHSA-vfg9-r3fq-jvx4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sfyc-jewr-wuf5
14
url VCID-sgdb-985e-4uej
vulnerability_id VCID-sgdb-985e-4uej
summary 
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact
------

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------

Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json
1
reference_url https://access.redhat.com/security/cve/cve-2024-41128
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://access.redhat.com/security/cve/cve-2024-41128
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-41128
reference_id
reference_type
scores
0
value 0.00557
scoring_system epss
scoring_elements 0.68264
published_at 2026-04-26T12:55:00Z
1
value 0.00557
scoring_system epss
scoring_elements 0.68256
published_at 2026-04-24T12:55:00Z
2
value 0.00605
scoring_system epss
scoring_elements 0.69632
published_at 2026-04-12T12:55:00Z
3
value 0.00605
scoring_system epss
scoring_elements 0.69647
published_at 2026-04-11T12:55:00Z
4
value 0.00605
scoring_system epss
scoring_elements 0.69624
published_at 2026-04-09T12:55:00Z
5
value 0.00605
scoring_system epss
scoring_elements 0.69608
published_at 2026-04-08T12:55:00Z
6
value 0.00605
scoring_system epss
scoring_elements 0.69648
published_at 2026-04-21T12:55:00Z
7
value 0.00605
scoring_system epss
scoring_elements 0.69666
published_at 2026-04-18T12:55:00Z
8
value 0.00605
scoring_system epss
scoring_elements 0.69657
published_at 2026-04-16T12:55:00Z
9
value 0.00605
scoring_system epss
scoring_elements 0.69618
published_at 2026-04-13T12:55:00Z
10
value 0.00605
scoring_system epss
scoring_elements 0.69557
published_at 2026-04-07T12:55:00Z
11
value 0.00605
scoring_system epss
scoring_elements 0.69578
published_at 2026-04-04T12:55:00Z
12
value 0.00605
scoring_system epss
scoring_elements 0.69562
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-41128
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319036
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2319036
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
8
reference_url https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
9
reference_url https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
10
reference_url https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-41128
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-41128
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
15
reference_url https://github.com/advisories/GHSA-x76w-6vjr-8xgj
reference_id GHSA-x76w-6vjr-8xgj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x76w-6vjr-8xgj
16
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2024-41128, GHSA-x76w-6vjr-8xgj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sgdb-985e-4uej
15
url VCID-sygb-mygd-s3gb
vulnerability_id VCID-sygb-mygd-s3gb
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44566.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44566.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-44566
reference_id
reference_type
scores
0
value 0.01543
scoring_system epss
scoring_elements 0.81448
published_at 2026-04-26T12:55:00Z
1
value 0.01543
scoring_system epss
scoring_elements 0.8144
published_at 2026-04-24T12:55:00Z
2
value 0.02076
scoring_system epss
scoring_elements 0.83996
published_at 2026-04-21T12:55:00Z
3
value 0.02421
scoring_system epss
scoring_elements 0.85132
published_at 2026-04-12T12:55:00Z
4
value 0.02421
scoring_system epss
scoring_elements 0.85087
published_at 2026-04-04T12:55:00Z
5
value 0.02421
scoring_system epss
scoring_elements 0.85091
published_at 2026-04-07T12:55:00Z
6
value 0.02421
scoring_system epss
scoring_elements 0.8512
published_at 2026-04-09T12:55:00Z
7
value 0.02421
scoring_system epss
scoring_elements 0.85153
published_at 2026-04-18T12:55:00Z
8
value 0.02421
scoring_system epss
scoring_elements 0.8515
published_at 2026-04-16T12:55:00Z
9
value 0.02421
scoring_system epss
scoring_elements 0.85129
published_at 2026-04-13T12:55:00Z
10
value 0.02421
scoring_system epss
scoring_elements 0.85113
published_at 2026-04-08T12:55:00Z
11
value 0.02421
scoring_system epss
scoring_elements 0.8507
published_at 2026-04-02T12:55:00Z
12
value 0.02421
scoring_system epss
scoring_elements 0.85134
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-44566
2
reference_url https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-25T13:43:31Z/
url https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44566
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44566
4
reference_url https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-25T13:43:31Z/
url https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rails/rails/commit/4f44aa9d514e701ada92b5cf08beccf566eeaebf
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/4f44aa9d514e701ada92b5cf08beccf566eeaebf
8
reference_url https://github.com/rails/rails/commit/82bcdc011e2ff674e7dd8fd8cee3a831c908d29b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/82bcdc011e2ff674e7dd8fd8cee3a831c908d29b
9
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
10
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
11
reference_url https://mailchi.mp/railslts/rails-lts-multiple-dos-vulnerabilities-in-rails-rack-and-globalid
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://mailchi.mp/railslts/rails-lts-multiple-dos-vulnerabilities-in-rails-rack-and-globalid
12
reference_url https://makandracards.com/railslts/508019-rails-5-2-lts-changelog#section-jan-20th-2023-rails-version-5-2-8-15
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://makandracards.com/railslts/508019-rails-5-2-lts-changelog#section-jan-20th-2023-rails-version-5-2-8-15
13
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164789
reference_id 2164789
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164789
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-44566
reference_id CVE-2022-44566
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-44566
17
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-44566.yml
reference_id CVE-2022-44566.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-44566.yml
18
reference_url https://github.com/advisories/GHSA-579w-22j4-4749
reference_id GHSA-579w-22j4-4749
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-579w-22j4-4749
19
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2022-44566, GHSA-579w-22j4-4749, GMS-2023-59
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sygb-mygd-s3gb
16
url VCID-wpmk-wgpm-cuee
vulnerability_id VCID-wpmk-wgpm-cuee
summary 
Rails Active Storage has possible Path Traversal in DiskService
### Impact
Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33195.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33195.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33195
reference_id
reference_type
scores
0
value 0.00033
scoring_system epss
scoring_elements 0.09502
published_at 2026-04-04T12:55:00Z
1
value 0.00033
scoring_system epss
scoring_elements 0.09549
published_at 2026-04-21T12:55:00Z
2
value 0.00033
scoring_system epss
scoring_elements 0.094
published_at 2026-04-18T12:55:00Z
3
value 0.00033
scoring_system epss
scoring_elements 0.09398
published_at 2026-04-16T12:55:00Z
4
value 0.00033
scoring_system epss
scoring_elements 0.09504
published_at 2026-04-13T12:55:00Z
5
value 0.00033
scoring_system epss
scoring_elements 0.09521
published_at 2026-04-12T12:55:00Z
6
value 0.00033
scoring_system epss
scoring_elements 0.0955
published_at 2026-04-11T12:55:00Z
7
value 0.00033
scoring_system epss
scoring_elements 0.09536
published_at 2026-04-09T12:55:00Z
8
value 0.00033
scoring_system epss
scoring_elements 0.09489
published_at 2026-04-08T12:55:00Z
9
value 0.00033
scoring_system epss
scoring_elements 0.09454
published_at 2026-04-02T12:55:00Z
10
value 0.00033
scoring_system epss
scoring_elements 0.09415
published_at 2026-04-07T12:55:00Z
11
value 0.00036
scoring_system epss
scoring_elements 0.10579
published_at 2026-04-26T12:55:00Z
12
value 0.00036
scoring_system epss
scoring_elements 0.1058
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33195
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33195
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33195
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
6
reference_url https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
7
reference_url https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33195
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33195
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450546
reference_id 2450546
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450546
15
reference_url https://github.com/advisories/GHSA-9xrj-h377-fr87
reference_id GHSA-9xrj-h377-fr87
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9xrj-h377-fr87
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1
aliases CVE-2026-33195, GHSA-9xrj-h377-fr87
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wpmk-wgpm-cuee
17
url VCID-yy6t-ybeu-qycc
vulnerability_id VCID-yy6t-ybeu-qycc
summary 
Possible ReDoS vulnerability in block_format in Action Mailer
There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.

Impact
------

Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users can avoid calling the `block_format` helper or upgrade to Ruby 3.2

Credits
-------

Thanks to yuki_osaki for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47889
reference_id
reference_type
scores
0
value 0.00317
scoring_system epss
scoring_elements 0.54793
published_at 2026-04-26T12:55:00Z
1
value 0.00317
scoring_system epss
scoring_elements 0.54773
published_at 2026-04-24T12:55:00Z
2
value 0.00344
scoring_system epss
scoring_elements 0.57066
published_at 2026-04-13T12:55:00Z
3
value 0.00344
scoring_system epss
scoring_elements 0.5709
published_at 2026-04-18T12:55:00Z
4
value 0.00344
scoring_system epss
scoring_elements 0.57047
published_at 2026-04-02T12:55:00Z
5
value 0.00344
scoring_system epss
scoring_elements 0.57068
published_at 2026-04-21T12:55:00Z
6
value 0.00344
scoring_system epss
scoring_elements 0.57094
published_at 2026-04-16T12:55:00Z
7
value 0.00344
scoring_system epss
scoring_elements 0.57046
published_at 2026-04-07T12:55:00Z
8
value 0.00344
scoring_system epss
scoring_elements 0.57069
published_at 2026-04-04T12:55:00Z
9
value 0.00344
scoring_system epss
scoring_elements 0.57111
published_at 2026-04-11T12:55:00Z
10
value 0.00344
scoring_system epss
scoring_elements 0.57099
published_at 2026-04-09T12:55:00Z
11
value 0.00344
scoring_system epss
scoring_elements 0.57097
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47889
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47889
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47889
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
7
reference_url https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
reference_id 0e5694f4d32544532d2301a9b4084eacb6986e94
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319033
reference_id 2319033
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319033
10
reference_url https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
reference_id 3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
11
reference_url https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
reference_id 985f1923fa62806ff676e41de67c3b4552131ab9
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
12
reference_url https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
reference_id be898cc996986decfe238341d96b2a6573b8fd2e
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47889
reference_id CVE-2024-47889
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-47889
14
reference_url https://github.com/advisories/GHSA-h47h-mwp9-c6q6
reference_id GHSA-h47h-mwp9-c6q6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h47h-mwp9-c6q6
15
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2024-47889, GHSA-h47h-mwp9-c6q6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yy6t-ybeu-qycc
18
url VCID-yzpx-3gam-y3bu
vulnerability_id VCID-yzpx-3gam-y3bu
summary 
Active Storage allowed transformation methods that were potentially unsafe
Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.

The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.

This has been assigned the CVE identifier CVE-2025-24293.


Versions Affected:  >= 5.2.0
Not affected:       < 5.2.0
Fixed Versions:     7.1.5.2, 7.2.2.2, 8.0.2.1

Impact
------
This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.

Vulnerable code will look something similar to this:

```
<%= image_tag blob.variant(params[:t] => params[:v]) %>
```

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.

Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed.

Credits
-------

Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24293.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24293.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-24293
reference_id
reference_type
scores
0
value 0.002
scoring_system epss
scoring_elements 0.42091
published_at 2026-04-02T12:55:00Z
1
value 0.002
scoring_system epss
scoring_elements 0.42056
published_at 2026-04-07T12:55:00Z
2
value 0.002
scoring_system epss
scoring_elements 0.42119
published_at 2026-04-04T12:55:00Z
3
value 0.00209
scoring_system epss
scoring_elements 0.43351
published_at 2026-04-18T12:55:00Z
4
value 0.00209
scoring_system epss
scoring_elements 0.43361
published_at 2026-04-16T12:55:00Z
5
value 0.00209
scoring_system epss
scoring_elements 0.43301
published_at 2026-04-13T12:55:00Z
6
value 0.00209
scoring_system epss
scoring_elements 0.43316
published_at 2026-04-12T12:55:00Z
7
value 0.00209
scoring_system epss
scoring_elements 0.43347
published_at 2026-04-11T12:55:00Z
8
value 0.00209
scoring_system epss
scoring_elements 0.43327
published_at 2026-04-09T12:55:00Z
9
value 0.00209
scoring_system epss
scoring_elements 0.43312
published_at 2026-04-08T12:55:00Z
10
value 0.00209
scoring_system epss
scoring_elements 0.43222
published_at 2026-04-26T12:55:00Z
11
value 0.00209
scoring_system epss
scoring_elements 0.4322
published_at 2026-04-24T12:55:00Z
12
value 0.00209
scoring_system epss
scoring_elements 0.43287
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-24293
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24293
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24293
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/advisories/GHSA-r4mg-4433-c7g3
reference_id
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-02T14:45:32Z/
url https://github.com/advisories/GHSA-r4mg-4433-c7g3
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/1b1adf6ee6ca0f3104fcfce79360b2ec1e06a354
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/1b1adf6ee6ca0f3104fcfce79360b2ec1e06a354
7
reference_url https://github.com/rails/rails/commit/2d612735ac0d9712fdfffaf80afa627e7295f6ce
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2d612735ac0d9712fdfffaf80afa627e7295f6ce
8
reference_url https://github.com/rails/rails/commit/fb8f3a18c3d97524c0efc29150d1e5f3162fbb13
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/fb8f3a18c3d97524c0efc29150d1e5f3162fbb13
9
reference_url https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3
reference_id
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-24293
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-24293
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2435565
reference_id 2435565
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2435565
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2025-24293, GHSA-r4mg-4433-c7g3
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yzpx-3gam-y3bu
19
url VCID-zqzx-avvt-wkhm
vulnerability_id VCID-zqzx-avvt-wkhm
summary 
Active Record logging vulnerable to ANSI escape injection
This vulnerability has been assigned the CVE identifier CVE-2025-55193

### Impact
The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.

### Releases
The fixed releases are available at the normal locations.

### Credits

Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55193.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55193.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55193
reference_id
reference_type
scores
0
value 0.00136
scoring_system epss
scoring_elements 0.33444
published_at 2026-04-02T12:55:00Z
1
value 0.00136
scoring_system epss
scoring_elements 0.33335
published_at 2026-04-13T12:55:00Z
2
value 0.00136
scoring_system epss
scoring_elements 0.33358
published_at 2026-04-12T12:55:00Z
3
value 0.00136
scoring_system epss
scoring_elements 0.334
published_at 2026-04-11T12:55:00Z
4
value 0.00136
scoring_system epss
scoring_elements 0.33396
published_at 2026-04-09T12:55:00Z
5
value 0.00136
scoring_system epss
scoring_elements 0.33363
published_at 2026-04-08T12:55:00Z
6
value 0.00136
scoring_system epss
scoring_elements 0.33317
published_at 2026-04-07T12:55:00Z
7
value 0.00136
scoring_system epss
scoring_elements 0.33475
published_at 2026-04-04T12:55:00Z
8
value 0.00136
scoring_system epss
scoring_elements 0.3337
published_at 2026-04-16T12:55:00Z
9
value 0.00148
scoring_system epss
scoring_elements 0.34957
published_at 2026-04-26T12:55:00Z
10
value 0.00148
scoring_system epss
scoring_elements 0.34975
published_at 2026-04-24T12:55:00Z
11
value 0.00148
scoring_system epss
scoring_elements 0.35209
published_at 2026-04-21T12:55:00Z
12
value 0.00148
scoring_system epss
scoring_elements 0.35258
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55193
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55193
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55193
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:42:07Z/
url https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290
6
reference_url https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:42:07Z/
url https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b
7
reference_url https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:42:07Z/
url https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202
8
reference_url https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:42:07Z/
url https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2025-55193.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2025-55193.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55193
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55193
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111106
reference_id 1111106
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111106
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2388446
reference_id 2388446
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2388446
13
reference_url https://github.com/advisories/GHSA-76r7-hhxj-r776
reference_id GHSA-76r7-hhxj-r776
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-76r7-hhxj-r776
fixed_packages
0
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-96qr-hdbp-p7ff
3
vulnerability VCID-a6z9-5n6k-2kak
4
vulnerability VCID-ad6q-vtdf-syb6
5
vulnerability VCID-hatd-vkun-13hj
6
vulnerability VCID-qxe4-dubt-1kfp
7
vulnerability VCID-sarm-n22v-akcm
8
vulnerability VCID-wpmk-wgpm-cuee
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2
aliases CVE-2025-55193, GHSA-76r7-hhxj-r776
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zqzx-avvt-wkhm
Fixing_vulnerabilities
0
url VCID-12x8-jxdf-jqdz
vulnerability_id VCID-12x8-jxdf-jqdz
summary 
Actionpack Open Redirect Vulnerability
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22881
reference_id
reference_type
scores
0
value 0.15453
scoring_system epss
scoring_elements 0.94673
published_at 2026-04-26T12:55:00Z
1
value 0.15453
scoring_system epss
scoring_elements 0.94672
published_at 2026-04-21T12:55:00Z
2
value 0.15453
scoring_system epss
scoring_elements 0.94667
published_at 2026-04-18T12:55:00Z
3
value 0.15453
scoring_system epss
scoring_elements 0.94665
published_at 2026-04-16T12:55:00Z
4
value 0.15453
scoring_system epss
scoring_elements 0.94656
published_at 2026-04-13T12:55:00Z
5
value 0.15453
scoring_system epss
scoring_elements 0.94652
published_at 2026-04-11T12:55:00Z
6
value 0.15453
scoring_system epss
scoring_elements 0.94626
published_at 2026-04-02T12:55:00Z
7
value 0.15453
scoring_system epss
scoring_elements 0.94632
published_at 2026-04-04T12:55:00Z
8
value 0.15453
scoring_system epss
scoring_elements 0.94634
published_at 2026-04-07T12:55:00Z
9
value 0.15453
scoring_system epss
scoring_elements 0.94648
published_at 2026-04-09T12:55:00Z
10
value 0.15453
scoring_system epss
scoring_elements 0.94619
published_at 2026-04-01T12:55:00Z
11
value 0.15453
scoring_system epss
scoring_elements 0.94644
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22881
2
reference_url https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881
4
reference_url https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md
8
reference_url https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml
10
reference_url https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E
11
reference_url https://hackerone.com/reports/1047447
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1047447
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22881
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22881
15
reference_url https://rubygems.org/gems/actionpack
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubygems.org/gems/actionpack
16
reference_url http://www.openwall.com/lists/oss-security/2021/05/05/2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/05/05/2
17
reference_url http://www.openwall.com/lists/oss-security/2021/08/20/1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/08/20/1
18
reference_url http://www.openwall.com/lists/oss-security/2021/12/14/5
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/12/14/5
19
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1930211
reference_id 1930211
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1930211
20
reference_url https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/
reference_id CVE-2021-22881-FAILLE-DE-SECURITE-DANS-LE-MIDDLEWARE-HOSTAUTHORIZATION
reference_type
scores
url https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/
21
reference_url https://github.com/advisories/GHSA-8877-prq4-9xfw
reference_id GHSA-8877-prq4-9xfw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8877-prq4-9xfw
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2021-22881, GHSA-8877-prq4-9xfw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-12x8-jxdf-jqdz
1
url VCID-19fr-55kr-hyax
vulnerability_id VCID-19fr-55kr-hyax
summary 
rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements
NOTE: rails-ujs is part of Rails/actionview since 5.1.0.

There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to
occur when pasting malicious HTML content from the clipboard that
includes a data-method, data-remote or data-disable-with attribute.

This vulnerability has been assigned the CVE identifier CVE-2023-23913.

Not affected: < 5.1.0
Versions Affected: >= 5.1.0
Fixed Versions: 6.1.7.3, 7.0.4.3

Impact
If the specified malicious HTML clipboard content is provided to a
contenteditable element, this could result in the arbitrary execution
of javascript on the origin in question.

Releases
The FIXED releases are available at the normal locations.

Workarounds
We recommend that all users upgrade to one of the FIXED versions.
In the meantime, users can attempt to mitigate this vulnerability
by removing the contenteditable attribute from elements in pages
that rails-ujs will interact with.

Patches
To aid users who aren’t able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am
format and consist of a single changeset.

* rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series
* rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are
supported at present, and 6.0.Z for severe vulnerabilities.

Users of earlier unsupported releases are advised to upgrade as
soon as possible as we cannot guarantee the continued availability
of security fixes for unsupported releases.

Credits
We would like to thank ryotak 15 for reporting this!

* rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB)
* rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB)
* rails-ujs-data-method-contenteditable-main.patch (8.9 KB)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23913.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23913.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-23913
reference_id
reference_type
scores
0
value 0.00115
scoring_system epss
scoring_elements 0.30353
published_at 2026-04-04T12:55:00Z
1
value 0.00115
scoring_system epss
scoring_elements 0.30179
published_at 2026-04-13T12:55:00Z
2
value 0.00115
scoring_system epss
scoring_elements 0.30226
published_at 2026-04-12T12:55:00Z
3
value 0.00115
scoring_system epss
scoring_elements 0.30304
published_at 2026-04-02T12:55:00Z
4
value 0.00115
scoring_system epss
scoring_elements 0.30269
published_at 2026-04-11T12:55:00Z
5
value 0.00115
scoring_system epss
scoring_elements 0.30265
published_at 2026-04-09T12:55:00Z
6
value 0.00115
scoring_system epss
scoring_elements 0.3023
published_at 2026-04-08T12:55:00Z
7
value 0.00115
scoring_system epss
scoring_elements 0.3017
published_at 2026-04-07T12:55:00Z
8
value 0.00152
scoring_system epss
scoring_elements 0.35596
published_at 2026-04-26T12:55:00Z
9
value 0.00152
scoring_system epss
scoring_elements 0.35627
published_at 2026-04-24T12:55:00Z
10
value 0.00152
scoring_system epss
scoring_elements 0.35856
published_at 2026-04-21T12:55:00Z
11
value 0.00152
scoring_system epss
scoring_elements 0.35905
published_at 2026-04-18T12:55:00Z
12
value 0.00152
scoring_system epss
scoring_elements 0.35918
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-23913
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
5
reference_url https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
9
reference_url https://github.com/rails/rails/commit/73009ea59a811b28e8ec2a9c9bc24635aa891214
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/73009ea59a811b28e8ec2a9c9bc24635aa891214
10
reference_url https://security.netapp.com/advisory/ntap-20240605-0007
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240605-0007
11
reference_url https://www.debian.org/security/2023/dsa-5389
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://www.debian.org/security/2023/dsa-5389
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2182160
reference_id 2182160
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2182160
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-23913
reference_id CVE-2023-23913
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-23913
14
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2023-23913.yml
reference_id CVE-2023-23913.YML
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2023-23913.yml
15
reference_url https://github.com/advisories/GHSA-xp5h-f8jf-rc8q
reference_id GHSA-xp5h-f8jf-rc8q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xp5h-f8jf-rc8q
16
reference_url https://security.netapp.com/advisory/ntap-20240605-0007/
reference_id ntap-20240605-0007
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://security.netapp.com/advisory/ntap-20240605-0007/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2023-23913, GHSA-xp5h-f8jf-rc8q
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-19fr-55kr-hyax
2
url VCID-1bxs-yghe-cyck
vulnerability_id VCID-1bxs-yghe-cyck
summary 
URL Redirection to Untrusted Site ('Open Redirect')
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22942
reference_id
reference_type
scores
0
value 0.00533
scoring_system epss
scoring_elements 0.67402
published_at 2026-04-21T12:55:00Z
1
value 0.00533
scoring_system epss
scoring_elements 0.67425
published_at 2026-04-18T12:55:00Z
2
value 0.00533
scoring_system epss
scoring_elements 0.67413
published_at 2026-04-16T12:55:00Z
3
value 0.00533
scoring_system epss
scoring_elements 0.67378
published_at 2026-04-13T12:55:00Z
4
value 0.00533
scoring_system epss
scoring_elements 0.67412
published_at 2026-04-12T12:55:00Z
5
value 0.00533
scoring_system epss
scoring_elements 0.67424
published_at 2026-04-11T12:55:00Z
6
value 0.00533
scoring_system epss
scoring_elements 0.67403
published_at 2026-04-09T12:55:00Z
7
value 0.00533
scoring_system epss
scoring_elements 0.6739
published_at 2026-04-08T12:55:00Z
8
value 0.00533
scoring_system epss
scoring_elements 0.67361
published_at 2026-04-04T12:55:00Z
9
value 0.00533
scoring_system epss
scoring_elements 0.67339
published_at 2026-04-07T12:55:00Z
10
value 0.00533
scoring_system epss
scoring_elements 0.67302
published_at 2026-04-01T12:55:00Z
11
value 0.00533
scoring_system epss
scoring_elements 0.67433
published_at 2026-04-26T12:55:00Z
12
value 0.00533
scoring_system epss
scoring_elements 0.67422
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22942
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
13
reference_url https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c
14
reference_url https://rubygems.org/gems/actionpack
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubygems.org/gems/actionpack
15
reference_url https://security.netapp.com/advisory/ntap-20240202-0005
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0005
16
reference_url https://security.netapp.com/advisory/ntap-20240202-0005/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240202-0005/
17
reference_url https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released
18
reference_url https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
reference_id
reference_type
scores
url https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
19
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
20
reference_url http://www.openwall.com/lists/oss-security/2021/12/14/5
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/12/14/5
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1995940
reference_id 1995940
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1995940
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586
reference_id 992586
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586
23
reference_url https://security.archlinux.org/AVG-2492
reference_id AVG-2492
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2492
24
reference_url https://security.archlinux.org/AVG-2493
reference_id AVG-2493
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2493
25
reference_url https://access.redhat.com/security/cve/cve-2021-22942
reference_id CVE-2021-22942
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/cve-2021-22942
26
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22942
reference_id CVE-2021-22942
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22942
27
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml
reference_id CVE-2021-22942.YML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml
28
reference_url https://github.com/advisories/GHSA-2rqw-v265-jf8c
reference_id GHSA-2rqw-v265-jf8c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2rqw-v265-jf8c
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2021-22942, GHSA-2rqw-v265-jf8c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1bxs-yghe-cyck
3
url VCID-1rxp-g9rz-4yb3
vulnerability_id VCID-1rxp-g9rz-4yb3
summary 
Possible XSS Security Vulnerability in SafeBuffer#bytesplice
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

# Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

# Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28120
reference_id
reference_type
scores
0
value 0.00395
scoring_system epss
scoring_elements 0.60409
published_at 2026-04-26T12:55:00Z
1
value 0.00395
scoring_system epss
scoring_elements 0.60317
published_at 2026-04-07T12:55:00Z
2
value 0.00395
scoring_system epss
scoring_elements 0.60394
published_at 2026-04-24T12:55:00Z
3
value 0.00395
scoring_system epss
scoring_elements 0.60419
published_at 2026-04-18T12:55:00Z
4
value 0.00395
scoring_system epss
scoring_elements 0.60411
published_at 2026-04-21T12:55:00Z
5
value 0.00395
scoring_system epss
scoring_elements 0.6037
published_at 2026-04-13T12:55:00Z
6
value 0.00395
scoring_system epss
scoring_elements 0.60389
published_at 2026-04-12T12:55:00Z
7
value 0.00395
scoring_system epss
scoring_elements 0.60403
published_at 2026-04-11T12:55:00Z
8
value 0.00395
scoring_system epss
scoring_elements 0.60323
published_at 2026-04-02T12:55:00Z
9
value 0.00395
scoring_system epss
scoring_elements 0.60382
published_at 2026-04-09T12:55:00Z
10
value 0.00395
scoring_system epss
scoring_elements 0.60366
published_at 2026-04-08T12:55:00Z
11
value 0.00395
scoring_system epss
scoring_elements 0.60349
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28120
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
4
reference_url https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
9
reference_url https://security.netapp.com/advisory/ntap-20240202-0006
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0006
10
reference_url https://www.debian.org/security/2023/dsa-5389
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://www.debian.org/security/2023/dsa-5389
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262
reference_id 1033262
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2179637
reference_id 2179637
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2179637
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28120
reference_id CVE-2023-28120
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28120
14
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
reference_id CVE-2023-28120.YML
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
15
reference_url https://github.com/advisories/GHSA-pj73-v5mw-pm9j
reference_id GHSA-pj73-v5mw-pm9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pj73-v5mw-pm9j
16
reference_url https://security.netapp.com/advisory/ntap-20240202-0006/
reference_id ntap-20240202-0006
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://security.netapp.com/advisory/ntap-20240202-0006/
17
reference_url https://access.redhat.com/errata/RHSA-2023:1953
reference_id RHSA-2023:1953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1953
18
reference_url https://access.redhat.com/errata/RHSA-2023:3495
reference_id RHSA-2023:3495
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3495
19
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
reference_id UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
reference_id ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2023-28120, GHSA-pj73-v5mw-pm9j, GMS-2023-765
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1rxp-g9rz-4yb3
4
url VCID-1x8k-t8mr-3fgp
vulnerability_id VCID-1x8k-t8mr-3fgp
summary 
URL Redirection to Untrusted Site ('Open Redirect')
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-44528
reference_id
reference_type
scores
0
value 0.25125
scoring_system epss
scoring_elements 0.96178
published_at 2026-04-12T12:55:00Z
1
value 0.25125
scoring_system epss
scoring_elements 0.96161
published_at 2026-04-07T12:55:00Z
2
value 0.25125
scoring_system epss
scoring_elements 0.96158
published_at 2026-04-04T12:55:00Z
3
value 0.25125
scoring_system epss
scoring_elements 0.9615
published_at 2026-04-02T12:55:00Z
4
value 0.25125
scoring_system epss
scoring_elements 0.96142
published_at 2026-04-01T12:55:00Z
5
value 0.25125
scoring_system epss
scoring_elements 0.96194
published_at 2026-04-21T12:55:00Z
6
value 0.25125
scoring_system epss
scoring_elements 0.96193
published_at 2026-04-18T12:55:00Z
7
value 0.25125
scoring_system epss
scoring_elements 0.96188
published_at 2026-04-16T12:55:00Z
8
value 0.25125
scoring_system epss
scoring_elements 0.9618
published_at 2026-04-13T12:55:00Z
9
value 0.25125
scoring_system epss
scoring_elements 0.96175
published_at 2026-04-09T12:55:00Z
10
value 0.25125
scoring_system epss
scoring_elements 0.96171
published_at 2026-04-08T12:55:00Z
11
value 0.40819
scoring_system epss
scoring_elements 0.97384
published_at 2026-04-26T12:55:00Z
12
value 0.40819
scoring_system epss
scoring_elements 0.97382
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-44528
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
13
reference_url https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021
14
reference_url https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815
15
reference_url https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml
17
reference_url https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ
18
reference_url https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer
19
reference_url https://security.netapp.com/advisory/ntap-20240208-0003
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240208-0003
20
reference_url https://security.netapp.com/advisory/ntap-20240208-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240208-0003/
21
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817
reference_id 1001817
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2034266
reference_id 2034266
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2034266
24
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-44528
reference_id CVE-2021-44528
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-44528
25
reference_url https://github.com/advisories/GHSA-qphc-hf5q-v8fc
reference_id GHSA-qphc-hf5q-v8fc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qphc-hf5q-v8fc
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2021-44528, GHSA-qphc-hf5q-v8fc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1x8k-t8mr-3fgp
5
url VCID-31xv-z8c6-a7bg
vulnerability_id VCID-31xv-z8c6-a7bg
summary 
XSS in Action View
There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks.

### Impact

When an HTML-unsafe string is passed as the default for a missing translation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations), the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples:

```erb
<%# The welcome_html translation is not defined for the current locale: %>
<%= t("welcome_html", default: untrusted_user_controlled_string) %>

<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>
<%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %>
```

### Patches

Patched Rails versions, 6.0.3.3 and 5.2.4.4, are available from the normal locations.

The patches have also been applied to the `master`, `6-0-stable`, and `5-2-stable` branches on GitHub. If you track any of these branches, you should update to the latest.

To aid users who aren’t able to upgrade immediately, we’ve provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* [5-2-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-5-2-translate-helper-xss-patch) — patch for the 5.2 release series
* [6-0-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-6-0-translate-helper-xss-patch) — patch for the 6.0 release series

Please note that only the 5.2 and 6.0 release series are currently supported. Users of earlier, unsupported releases are advised to update as soon as possible, as we cannot provide security fixes for unsupported releases.

### Workarounds

Impacted users who can’t upgrade to a patched Rails version can avoid this issue by manually escaping default translations with the `html_escape` helper (aliased as `h`):

```erb
<%= t("welcome_html", default: h(untrusted_user_controlled_string)) %>
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15169.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15169.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-15169
reference_id
reference_type
scores
0
value 0.01497
scoring_system epss
scoring_elements 0.81183
published_at 2026-04-26T12:55:00Z
1
value 0.01497
scoring_system epss
scoring_elements 0.81052
published_at 2026-04-01T12:55:00Z
2
value 0.01497
scoring_system epss
scoring_elements 0.81061
published_at 2026-04-02T12:55:00Z
3
value 0.01497
scoring_system epss
scoring_elements 0.81085
published_at 2026-04-07T12:55:00Z
4
value 0.01497
scoring_system epss
scoring_elements 0.81112
published_at 2026-04-08T12:55:00Z
5
value 0.01497
scoring_system epss
scoring_elements 0.81118
published_at 2026-04-09T12:55:00Z
6
value 0.01497
scoring_system epss
scoring_elements 0.81136
published_at 2026-04-11T12:55:00Z
7
value 0.01497
scoring_system epss
scoring_elements 0.81123
published_at 2026-04-12T12:55:00Z
8
value 0.01497
scoring_system epss
scoring_elements 0.81116
published_at 2026-04-13T12:55:00Z
9
value 0.01497
scoring_system epss
scoring_elements 0.81153
published_at 2026-04-16T12:55:00Z
10
value 0.01497
scoring_system epss
scoring_elements 0.81155
published_at 2026-04-18T12:55:00Z
11
value 0.01497
scoring_system epss
scoring_elements 0.81152
published_at 2026-04-21T12:55:00Z
12
value 0.01497
scoring_system epss
scoring_elements 0.81175
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-15169
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-15169.yml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-15169.yml
13
reference_url https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
14
reference_url https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-15169
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-15169
18
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
19
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1877566
reference_id 1877566
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1877566
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970040
reference_id 970040
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970040
21
reference_url https://github.com/advisories/GHSA-cfjv-5498-mph5
reference_id GHSA-cfjv-5498-mph5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cfjv-5498-mph5
22
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-19fr-55kr-hyax
2
vulnerability VCID-1bxs-yghe-cyck
3
vulnerability VCID-1rxp-g9rz-4yb3
4
vulnerability VCID-1x8k-t8mr-3fgp
5
vulnerability VCID-31xv-z8c6-a7bg
6
vulnerability VCID-3hur-esmy-x3hr
7
vulnerability VCID-5qu2-b8gt-7qe3
8
vulnerability VCID-63gy-6njy-kbd8
9
vulnerability VCID-6ku5-mtgz-zygw
10
vulnerability VCID-6pxd-xsaw-tuer
11
vulnerability VCID-895a-ydc5-zfg6
12
vulnerability VCID-a6sp-18av-wya6
13
vulnerability VCID-ce39-j83r-6ug9
14
vulnerability VCID-dd9p-x7k3-37ea
15
vulnerability VCID-drg6-gj1f-h7ea
16
vulnerability VCID-es1t-7196-4kbb
17
vulnerability VCID-g3rk-djae-pkeh
18
vulnerability VCID-gjey-bqtd-kqa1
19
vulnerability VCID-hppf-a715-r7b2
20
vulnerability VCID-jwun-grgg-2uet
21
vulnerability VCID-mnkw-23eu-bkgc
22
vulnerability VCID-p5mc-r1rg-5ff7
23
vulnerability VCID-sfyc-jewr-wuf5
24
vulnerability VCID-sgdb-985e-4uej
25
vulnerability VCID-sygb-mygd-s3gb
26
vulnerability VCID-t684-yp58-hkg8
27
vulnerability VCID-t9yh-ss8z-e3cb
28
vulnerability VCID-v9mt-t1pb-hybk
29
vulnerability VCID-wg3a-j2dp-ayh4
30
vulnerability VCID-wyy6-h8bq-vyde
31
vulnerability VCID-yy6t-ybeu-qycc
32
vulnerability VCID-yzpx-3gam-y3bu
33
vulnerability VCID-zqzx-avvt-wkhm
34
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%252Bdeb10u3
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2020-15169, GHSA-cfjv-5498-mph5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-31xv-z8c6-a7bg
6
url VCID-5qu2-b8gt-7qe3
vulnerability_id VCID-5qu2-b8gt-7qe3
summary 
Active Record subject to Regular Expression Denial-of-Service (ReDoS)
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22880.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22880.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22880
reference_id
reference_type
scores
0
value 0.02459
scoring_system epss
scoring_elements 0.85168
published_at 2026-04-01T12:55:00Z
1
value 0.02459
scoring_system epss
scoring_elements 0.85229
published_at 2026-04-09T12:55:00Z
2
value 0.02459
scoring_system epss
scoring_elements 0.85221
published_at 2026-04-08T12:55:00Z
3
value 0.02459
scoring_system epss
scoring_elements 0.85199
published_at 2026-04-07T12:55:00Z
4
value 0.02459
scoring_system epss
scoring_elements 0.85197
published_at 2026-04-04T12:55:00Z
5
value 0.02459
scoring_system epss
scoring_elements 0.85179
published_at 2026-04-02T12:55:00Z
6
value 0.02599
scoring_system epss
scoring_elements 0.85665
published_at 2026-04-26T12:55:00Z
7
value 0.02599
scoring_system epss
scoring_elements 0.85631
published_at 2026-04-16T12:55:00Z
8
value 0.02599
scoring_system epss
scoring_elements 0.85608
published_at 2026-04-13T12:55:00Z
9
value 0.02599
scoring_system epss
scoring_elements 0.85612
published_at 2026-04-12T12:55:00Z
10
value 0.02599
scoring_system epss
scoring_elements 0.85616
published_at 2026-04-11T12:55:00Z
11
value 0.02599
scoring_system epss
scoring_elements 0.85654
published_at 2026-04-24T12:55:00Z
12
value 0.02599
scoring_system epss
scoring_elements 0.85636
published_at 2026-04-18T12:55:00Z
13
value 0.02599
scoring_system epss
scoring_elements 0.85632
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22880
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
5
reference_url https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml
9
reference_url https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
10
reference_url https://hackerone.com/reports/1023899
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1023899
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22880
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22880
16
reference_url https://security.netapp.com/advisory/ntap-20210805-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210805-0009
17
reference_url https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210805-0009/
18
reference_url https://www.debian.org/security/2021/dsa-4929
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-4929
19
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1930102
reference_id 1930102
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1930102
20
reference_url https://github.com/advisories/GHSA-8hc4-xxm3-5ppp
reference_id GHSA-8hc4-xxm3-5ppp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8hc4-xxm3-5ppp
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-19fr-55kr-hyax
2
vulnerability VCID-1bxs-yghe-cyck
3
vulnerability VCID-1rxp-g9rz-4yb3
4
vulnerability VCID-1x8k-t8mr-3fgp
5
vulnerability VCID-31xv-z8c6-a7bg
6
vulnerability VCID-3hur-esmy-x3hr
7
vulnerability VCID-5qu2-b8gt-7qe3
8
vulnerability VCID-63gy-6njy-kbd8
9
vulnerability VCID-6ku5-mtgz-zygw
10
vulnerability VCID-6pxd-xsaw-tuer
11
vulnerability VCID-895a-ydc5-zfg6
12
vulnerability VCID-a6sp-18av-wya6
13
vulnerability VCID-ce39-j83r-6ug9
14
vulnerability VCID-dd9p-x7k3-37ea
15
vulnerability VCID-drg6-gj1f-h7ea
16
vulnerability VCID-es1t-7196-4kbb
17
vulnerability VCID-g3rk-djae-pkeh
18
vulnerability VCID-gjey-bqtd-kqa1
19
vulnerability VCID-hppf-a715-r7b2
20
vulnerability VCID-jwun-grgg-2uet
21
vulnerability VCID-mnkw-23eu-bkgc
22
vulnerability VCID-p5mc-r1rg-5ff7
23
vulnerability VCID-sfyc-jewr-wuf5
24
vulnerability VCID-sgdb-985e-4uej
25
vulnerability VCID-sygb-mygd-s3gb
26
vulnerability VCID-t684-yp58-hkg8
27
vulnerability VCID-t9yh-ss8z-e3cb
28
vulnerability VCID-v9mt-t1pb-hybk
29
vulnerability VCID-wg3a-j2dp-ayh4
30
vulnerability VCID-wyy6-h8bq-vyde
31
vulnerability VCID-yy6t-ybeu-qycc
32
vulnerability VCID-yzpx-3gam-y3bu
33
vulnerability VCID-zqzx-avvt-wkhm
34
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%252Bdeb10u3
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2021-22880, GHSA-8hc4-xxm3-5ppp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5qu2-b8gt-7qe3
7
url VCID-63gy-6njy-kbd8
vulnerability_id VCID-63gy-6njy-kbd8
summary 
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22792
reference_id
reference_type
scores
0
value 0.02264
scoring_system epss
scoring_elements 0.84652
published_at 2026-04-21T12:55:00Z
1
value 0.02264
scoring_system epss
scoring_elements 0.8469
published_at 2026-04-26T12:55:00Z
2
value 0.02264
scoring_system epss
scoring_elements 0.8468
published_at 2026-04-24T12:55:00Z
3
value 0.02639
scoring_system epss
scoring_elements 0.8567
published_at 2026-04-07T12:55:00Z
4
value 0.02639
scoring_system epss
scoring_elements 0.85734
published_at 2026-04-18T12:55:00Z
5
value 0.02639
scoring_system epss
scoring_elements 0.85729
published_at 2026-04-16T12:55:00Z
6
value 0.02639
scoring_system epss
scoring_elements 0.85707
published_at 2026-04-13T12:55:00Z
7
value 0.02639
scoring_system epss
scoring_elements 0.85711
published_at 2026-04-12T12:55:00Z
8
value 0.02639
scoring_system epss
scoring_elements 0.85715
published_at 2026-04-11T12:55:00Z
9
value 0.02639
scoring_system epss
scoring_elements 0.85701
published_at 2026-04-09T12:55:00Z
10
value 0.02639
scoring_system epss
scoring_elements 0.85689
published_at 2026-04-08T12:55:00Z
11
value 0.02639
scoring_system epss
scoring_elements 0.85663
published_at 2026-04-04T12:55:00Z
12
value 0.02639
scoring_system epss
scoring_elements 0.85646
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22792
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
17
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
18
reference_url https://security.netapp.com/advisory/ntap-20240202-0007
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0007
19
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://www.debian.org/security/2023/dsa-5372
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164800
reference_id 2164800
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164800
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22792
reference_id CVE-2023-22792
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22792
23
reference_url https://github.com/advisories/GHSA-p84v-45xj-wwqj
reference_id GHSA-p84v-45xj-wwqj
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p84v-45xj-wwqj
24
reference_url https://security.netapp.com/advisory/ntap-20240202-0007/
reference_id ntap-20240202-0007
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://security.netapp.com/advisory/ntap-20240202-0007/
25
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2023-22792, GHSA-p84v-45xj-wwqj, GMS-2023-58
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-63gy-6njy-kbd8
8
url VCID-6ku5-mtgz-zygw
vulnerability_id VCID-6ku5-mtgz-zygw
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22796
reference_id
reference_type
scores
0
value 0.01484
scoring_system epss
scoring_elements 0.81071
published_at 2026-04-24T12:55:00Z
1
value 0.01484
scoring_system epss
scoring_elements 0.81049
published_at 2026-04-21T12:55:00Z
2
value 0.01484
scoring_system epss
scoring_elements 0.81079
published_at 2026-04-26T12:55:00Z
3
value 0.01733
scoring_system epss
scoring_elements 0.82473
published_at 2026-04-11T12:55:00Z
4
value 0.01733
scoring_system epss
scoring_elements 0.82424
published_at 2026-04-04T12:55:00Z
5
value 0.01733
scoring_system epss
scoring_elements 0.825
published_at 2026-04-18T12:55:00Z
6
value 0.01733
scoring_system epss
scoring_elements 0.82463
published_at 2026-04-13T12:55:00Z
7
value 0.01733
scoring_system epss
scoring_elements 0.82468
published_at 2026-04-12T12:55:00Z
8
value 0.01733
scoring_system epss
scoring_elements 0.8242
published_at 2026-04-07T12:55:00Z
9
value 0.01733
scoring_system epss
scoring_elements 0.82454
published_at 2026-04-09T12:55:00Z
10
value 0.01733
scoring_system epss
scoring_elements 0.82448
published_at 2026-04-08T12:55:00Z
11
value 0.01733
scoring_system epss
scoring_elements 0.82406
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22796
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-05T21:51:29Z/
url https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8
16
reference_url https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef
17
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
18
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
19
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164736
reference_id 2164736
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164736
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22796
reference_id CVE-2023-22796
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22796
23
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml
reference_id CVE-2023-22796.YML
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml
24
reference_url https://github.com/advisories/GHSA-j6gc-792m-qgm2
reference_id GHSA-j6gc-792m-qgm2
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j6gc-792m-qgm2
25
reference_url https://security.netapp.com/advisory/ntap-20240202-0009/
reference_id ntap-20240202-0009
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-05T21:51:29Z/
url https://security.netapp.com/advisory/ntap-20240202-0009/
26
reference_url https://access.redhat.com/errata/RHSA-2023:4341
reference_id RHSA-2023:4341
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:4341
27
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2023-22796, GHSA-j6gc-792m-qgm2, GMS-2023-61
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6ku5-mtgz-zygw
9
url VCID-895a-ydc5-zfg6
vulnerability_id VCID-895a-ydc5-zfg6
summary 
Circumvention of file size limits in ActiveStorage
There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user.

Versions Affected:  rails < 5.2.4.2, rails < 6.0.3.1
Not affected:       Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8162
reference_id
reference_type
scores
0
value 0.01549
scoring_system epss
scoring_elements 0.81479
published_at 2026-04-26T12:55:00Z
1
value 0.01549
scoring_system epss
scoring_elements 0.81347
published_at 2026-04-01T12:55:00Z
2
value 0.01549
scoring_system epss
scoring_elements 0.81356
published_at 2026-04-02T12:55:00Z
3
value 0.01549
scoring_system epss
scoring_elements 0.81378
published_at 2026-04-04T12:55:00Z
4
value 0.01549
scoring_system epss
scoring_elements 0.81376
published_at 2026-04-07T12:55:00Z
5
value 0.01549
scoring_system epss
scoring_elements 0.81405
published_at 2026-04-08T12:55:00Z
6
value 0.01549
scoring_system epss
scoring_elements 0.81409
published_at 2026-04-09T12:55:00Z
7
value 0.01549
scoring_system epss
scoring_elements 0.81431
published_at 2026-04-11T12:55:00Z
8
value 0.01549
scoring_system epss
scoring_elements 0.81418
published_at 2026-04-12T12:55:00Z
9
value 0.01549
scoring_system epss
scoring_elements 0.81411
published_at 2026-04-13T12:55:00Z
10
value 0.01549
scoring_system epss
scoring_elements 0.81448
published_at 2026-04-16T12:55:00Z
11
value 0.01549
scoring_system epss
scoring_elements 0.81449
published_at 2026-04-18T12:55:00Z
12
value 0.01549
scoring_system epss
scoring_elements 0.8145
published_at 2026-04-21T12:55:00Z
13
value 0.01549
scoring_system epss
scoring_elements 0.81472
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8162
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://github.com/aws/aws-sdk-ruby
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aws/aws-sdk-ruby
9
reference_url https://github.com/aws/aws-sdk-ruby/issues/2098
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aws/aws-sdk-ruby/issues/2098
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml
11
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
12
reference_url https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ
13
reference_url https://hackerone.com/reports/789579
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/789579
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8162
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8162
15
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843005
reference_id 1843005
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843005
17
reference_url https://github.com/advisories/GHSA-m42x-37p3-fv5w
reference_id GHSA-m42x-37p3-fv5w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m42x-37p3-fv5w
18
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-19fr-55kr-hyax
2
vulnerability VCID-1bxs-yghe-cyck
3
vulnerability VCID-1rxp-g9rz-4yb3
4
vulnerability VCID-1x8k-t8mr-3fgp
5
vulnerability VCID-31xv-z8c6-a7bg
6
vulnerability VCID-3hur-esmy-x3hr
7
vulnerability VCID-5qu2-b8gt-7qe3
8
vulnerability VCID-63gy-6njy-kbd8
9
vulnerability VCID-6ku5-mtgz-zygw
10
vulnerability VCID-6pxd-xsaw-tuer
11
vulnerability VCID-895a-ydc5-zfg6
12
vulnerability VCID-a6sp-18av-wya6
13
vulnerability VCID-ce39-j83r-6ug9
14
vulnerability VCID-dd9p-x7k3-37ea
15
vulnerability VCID-drg6-gj1f-h7ea
16
vulnerability VCID-es1t-7196-4kbb
17
vulnerability VCID-g3rk-djae-pkeh
18
vulnerability VCID-gjey-bqtd-kqa1
19
vulnerability VCID-hppf-a715-r7b2
20
vulnerability VCID-jwun-grgg-2uet
21
vulnerability VCID-mnkw-23eu-bkgc
22
vulnerability VCID-p5mc-r1rg-5ff7
23
vulnerability VCID-sfyc-jewr-wuf5
24
vulnerability VCID-sgdb-985e-4uej
25
vulnerability VCID-sygb-mygd-s3gb
26
vulnerability VCID-t684-yp58-hkg8
27
vulnerability VCID-t9yh-ss8z-e3cb
28
vulnerability VCID-v9mt-t1pb-hybk
29
vulnerability VCID-wg3a-j2dp-ayh4
30
vulnerability VCID-wyy6-h8bq-vyde
31
vulnerability VCID-yy6t-ybeu-qycc
32
vulnerability VCID-yzpx-3gam-y3bu
33
vulnerability VCID-zqzx-avvt-wkhm
34
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%252Bdeb10u3
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2020-8162, GHSA-m42x-37p3-fv5w
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-895a-ydc5-zfg6
10
url VCID-a6sp-18av-wya6
vulnerability_id VCID-a6sp-18av-wya6
summary 
Possible Strong Parameters Bypass in ActionPack
There is a strong parameters bypass vector in ActionPack.

Versions Affected:  rails <= 6.0.3
Not affected:       rails < 5.0.0
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters.  Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters.  Applications that use this return value may be
inadvertently use untrusted user input.

Impacted code will look something like this:

```
def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end
```

Note the mistaken use of `each` in the `clean_up_params` method in the above
example.

Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8164
reference_id
reference_type
scores
0
value 0.07389
scoring_system epss
scoring_elements 0.91736
published_at 2026-04-12T12:55:00Z
1
value 0.07389
scoring_system epss
scoring_elements 0.91734
published_at 2026-04-11T12:55:00Z
2
value 0.07389
scoring_system epss
scoring_elements 0.91731
published_at 2026-04-09T12:55:00Z
3
value 0.07389
scoring_system epss
scoring_elements 0.91724
published_at 2026-04-08T12:55:00Z
4
value 0.07389
scoring_system epss
scoring_elements 0.91712
published_at 2026-04-07T12:55:00Z
5
value 0.07389
scoring_system epss
scoring_elements 0.91703
published_at 2026-04-04T12:55:00Z
6
value 0.07389
scoring_system epss
scoring_elements 0.91698
published_at 2026-04-02T12:55:00Z
7
value 0.07389
scoring_system epss
scoring_elements 0.9169
published_at 2026-04-01T12:55:00Z
8
value 0.07389
scoring_system epss
scoring_elements 0.91749
published_at 2026-04-26T12:55:00Z
9
value 0.07389
scoring_system epss
scoring_elements 0.91732
published_at 2026-04-13T12:55:00Z
10
value 0.07389
scoring_system epss
scoring_elements 0.91752
published_at 2026-04-16T12:55:00Z
11
value 0.07389
scoring_system epss
scoring_elements 0.91745
published_at 2026-04-18T12:55:00Z
12
value 0.07389
scoring_system epss
scoring_elements 0.91746
published_at 2026-04-21T12:55:00Z
13
value 0.07389
scoring_system epss
scoring_elements 0.91751
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
11
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
12
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
14
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
15
reference_url https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
16
reference_url https://hackerone.com/reports/292797
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/292797
17
reference_url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
18
reference_url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8164
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8164
20
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1842634
reference_id 1842634
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1842634
22
reference_url https://github.com/advisories/GHSA-8727-m6gj-mc37
reference_id GHSA-8727-m6gj-mc37
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8727-m6gj-mc37
23
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-19fr-55kr-hyax
2
vulnerability VCID-1bxs-yghe-cyck
3
vulnerability VCID-1rxp-g9rz-4yb3
4
vulnerability VCID-1x8k-t8mr-3fgp
5
vulnerability VCID-31xv-z8c6-a7bg
6
vulnerability VCID-3hur-esmy-x3hr
7
vulnerability VCID-5qu2-b8gt-7qe3
8
vulnerability VCID-63gy-6njy-kbd8
9
vulnerability VCID-6ku5-mtgz-zygw
10
vulnerability VCID-6pxd-xsaw-tuer
11
vulnerability VCID-895a-ydc5-zfg6
12
vulnerability VCID-a6sp-18av-wya6
13
vulnerability VCID-ce39-j83r-6ug9
14
vulnerability VCID-dd9p-x7k3-37ea
15
vulnerability VCID-drg6-gj1f-h7ea
16
vulnerability VCID-es1t-7196-4kbb
17
vulnerability VCID-g3rk-djae-pkeh
18
vulnerability VCID-gjey-bqtd-kqa1
19
vulnerability VCID-hppf-a715-r7b2
20
vulnerability VCID-jwun-grgg-2uet
21
vulnerability VCID-mnkw-23eu-bkgc
22
vulnerability VCID-p5mc-r1rg-5ff7
23
vulnerability VCID-sfyc-jewr-wuf5
24
vulnerability VCID-sgdb-985e-4uej
25
vulnerability VCID-sygb-mygd-s3gb
26
vulnerability VCID-t684-yp58-hkg8
27
vulnerability VCID-t9yh-ss8z-e3cb
28
vulnerability VCID-v9mt-t1pb-hybk
29
vulnerability VCID-wg3a-j2dp-ayh4
30
vulnerability VCID-wyy6-h8bq-vyde
31
vulnerability VCID-yy6t-ybeu-qycc
32
vulnerability VCID-yzpx-3gam-y3bu
33
vulnerability VCID-zqzx-avvt-wkhm
34
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%252Bdeb10u3
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2020-8164, GHSA-8727-m6gj-mc37
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a6sp-18av-wya6
11
url VCID-ce39-j83r-6ug9
vulnerability_id VCID-ce39-j83r-6ug9
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-22577
reference_id
reference_type
scores
0
value 0.00287
scoring_system epss
scoring_elements 0.52126
published_at 2026-04-04T12:55:00Z
1
value 0.00287
scoring_system epss
scoring_elements 0.52141
published_at 2026-04-09T12:55:00Z
2
value 0.00287
scoring_system epss
scoring_elements 0.52099
published_at 2026-04-02T12:55:00Z
3
value 0.00287
scoring_system epss
scoring_elements 0.52091
published_at 2026-04-07T12:55:00Z
4
value 0.00287
scoring_system epss
scoring_elements 0.52204
published_at 2026-04-18T12:55:00Z
5
value 0.00287
scoring_system epss
scoring_elements 0.52201
published_at 2026-04-16T12:55:00Z
6
value 0.00287
scoring_system epss
scoring_elements 0.5216
published_at 2026-04-13T12:55:00Z
7
value 0.00287
scoring_system epss
scoring_elements 0.52175
published_at 2026-04-12T12:55:00Z
8
value 0.00287
scoring_system epss
scoring_elements 0.52192
published_at 2026-04-11T12:55:00Z
9
value 0.00287
scoring_system epss
scoring_elements 0.52145
published_at 2026-04-08T12:55:00Z
10
value 0.00291
scoring_system epss
scoring_elements 0.52486
published_at 2026-04-26T12:55:00Z
11
value 0.00291
scoring_system epss
scoring_elements 0.52475
published_at 2026-04-24T12:55:00Z
12
value 0.00291
scoring_system epss
scoring_elements 0.52527
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-22577
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
16
reference_url https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
17
reference_url https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
18
reference_url https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
19
reference_url https://github.com/rails/rails/pull/44635
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/pull/44635
20
reference_url https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
21
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
22
reference_url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
23
reference_url https://security.netapp.com/advisory/ntap-20221118-0002
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20221118-0002
24
reference_url https://security.netapp.com/advisory/ntap-20221118-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20221118-0002/
25
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941
reference_id 1011941
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941
27
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2080302
reference_id 2080302
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2080302
28
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-22577
reference_id CVE-2022-22577
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-22577
29
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
reference_id CVE-2022-22577.YML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
30
reference_url https://github.com/advisories/GHSA-mm33-5vfq-3mm3
reference_id GHSA-mm33-5vfq-3mm3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mm33-5vfq-3mm3
31
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2022-22577, GHSA-mm33-5vfq-3mm3, GMS-2022-1137
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ce39-j83r-6ug9
12
url VCID-drg6-gj1f-h7ea
vulnerability_id VCID-drg6-gj1f-h7ea
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21831.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21831.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-21831
reference_id
reference_type
scores
0
value 0.0142
scoring_system epss
scoring_elements 0.80648
published_at 2026-04-26T12:55:00Z
1
value 0.0142
scoring_system epss
scoring_elements 0.80644
published_at 2026-04-24T12:55:00Z
2
value 0.0142
scoring_system epss
scoring_elements 0.8062
published_at 2026-04-21T12:55:00Z
3
value 0.0142
scoring_system epss
scoring_elements 0.80616
published_at 2026-04-18T12:55:00Z
4
value 0.0142
scoring_system epss
scoring_elements 0.80585
published_at 2026-04-13T12:55:00Z
5
value 0.0142
scoring_system epss
scoring_elements 0.80589
published_at 2026-04-09T12:55:00Z
6
value 0.0142
scoring_system epss
scoring_elements 0.80579
published_at 2026-04-08T12:55:00Z
7
value 0.0142
scoring_system epss
scoring_elements 0.8055
published_at 2026-04-07T12:55:00Z
8
value 0.0142
scoring_system epss
scoring_elements 0.80559
published_at 2026-04-04T12:55:00Z
9
value 0.0142
scoring_system epss
scoring_elements 0.80537
published_at 2026-04-02T12:55:00Z
10
value 0.0142
scoring_system epss
scoring_elements 0.80614
published_at 2026-04-16T12:55:00Z
11
value 0.0142
scoring_system epss
scoring_elements 0.80592
published_at 2026-04-12T12:55:00Z
12
value 0.0142
scoring_system epss
scoring_elements 0.80606
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-21831
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
13
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
14
reference_url https://github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e
15
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2022-21831.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2022-21831.yml
16
reference_url https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI
17
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
18
reference_url https://rubysec.com/advisories/CVE-2022-21831
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://rubysec.com/advisories/CVE-2022-21831
19
reference_url https://security.netapp.com/advisory/ntap-20221118-0001
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20221118-0001
20
reference_url https://security.netapp.com/advisory/ntap-20221118-0001/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20221118-0001/
21
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011940
reference_id 1011940
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011940
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2064747
reference_id 2064747
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2064747
24
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-21831
reference_id CVE-2022-21831
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-21831
25
reference_url https://rubysec.com/advisories/CVE-2022-21831/
reference_id CVE-2022-21831
reference_type
scores
url https://rubysec.com/advisories/CVE-2022-21831/
26
reference_url https://github.com/advisories/GHSA-w749-p3v6-hccq
reference_id GHSA-w749-p3v6-hccq
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-w749-p3v6-hccq
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2022-21831, GHSA-w749-p3v6-hccq, GMS-2022-301
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-drg6-gj1f-h7ea
13
url VCID-es1t-7196-4kbb
vulnerability_id VCID-es1t-7196-4kbb
summary 
CSRF Vulnerability in rails-ujs
There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains.

Versions Affected:  rails <= 6.0.3
Not affected:       Applications which don't use rails-ujs.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

This is a regression of CVE-2015-1840.

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent.

Workarounds
-----------

To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.

For example, code like this:

    link_to params

to code like this:

    link_to filtered_params

    def filtered_params
      # Filter just the parameters that you trust
    end
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8167
reference_id
reference_type
scores
0
value 0.00592
scoring_system epss
scoring_elements 0.69328
published_at 2026-04-26T12:55:00Z
1
value 0.00592
scoring_system epss
scoring_elements 0.69177
published_at 2026-04-01T12:55:00Z
2
value 0.00592
scoring_system epss
scoring_elements 0.69192
published_at 2026-04-02T12:55:00Z
3
value 0.00592
scoring_system epss
scoring_elements 0.69213
published_at 2026-04-04T12:55:00Z
4
value 0.00592
scoring_system epss
scoring_elements 0.69195
published_at 2026-04-07T12:55:00Z
5
value 0.00592
scoring_system epss
scoring_elements 0.69245
published_at 2026-04-08T12:55:00Z
6
value 0.00592
scoring_system epss
scoring_elements 0.69263
published_at 2026-04-09T12:55:00Z
7
value 0.00592
scoring_system epss
scoring_elements 0.69285
published_at 2026-04-11T12:55:00Z
8
value 0.00592
scoring_system epss
scoring_elements 0.69271
published_at 2026-04-12T12:55:00Z
9
value 0.00592
scoring_system epss
scoring_elements 0.69242
published_at 2026-04-13T12:55:00Z
10
value 0.00592
scoring_system epss
scoring_elements 0.69281
published_at 2026-04-16T12:55:00Z
11
value 0.00592
scoring_system epss
scoring_elements 0.6929
published_at 2026-04-18T12:55:00Z
12
value 0.00592
scoring_system epss
scoring_elements 0.69269
published_at 2026-04-21T12:55:00Z
13
value 0.00592
scoring_system epss
scoring_elements 0.69321
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8167
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
10
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
11
reference_url https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
12
reference_url https://hackerone.com/reports/189878
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/189878
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8167
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8167
14
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843084
reference_id 1843084
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843084
16
reference_url https://github.com/advisories/GHSA-xq5j-gw7f-jgj8
reference_id GHSA-xq5j-gw7f-jgj8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xq5j-gw7f-jgj8
17
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-19fr-55kr-hyax
2
vulnerability VCID-1bxs-yghe-cyck
3
vulnerability VCID-1rxp-g9rz-4yb3
4
vulnerability VCID-1x8k-t8mr-3fgp
5
vulnerability VCID-31xv-z8c6-a7bg
6
vulnerability VCID-3hur-esmy-x3hr
7
vulnerability VCID-5qu2-b8gt-7qe3
8
vulnerability VCID-63gy-6njy-kbd8
9
vulnerability VCID-6ku5-mtgz-zygw
10
vulnerability VCID-6pxd-xsaw-tuer
11
vulnerability VCID-895a-ydc5-zfg6
12
vulnerability VCID-a6sp-18av-wya6
13
vulnerability VCID-ce39-j83r-6ug9
14
vulnerability VCID-dd9p-x7k3-37ea
15
vulnerability VCID-drg6-gj1f-h7ea
16
vulnerability VCID-es1t-7196-4kbb
17
vulnerability VCID-g3rk-djae-pkeh
18
vulnerability VCID-gjey-bqtd-kqa1
19
vulnerability VCID-hppf-a715-r7b2
20
vulnerability VCID-jwun-grgg-2uet
21
vulnerability VCID-mnkw-23eu-bkgc
22
vulnerability VCID-p5mc-r1rg-5ff7
23
vulnerability VCID-sfyc-jewr-wuf5
24
vulnerability VCID-sgdb-985e-4uej
25
vulnerability VCID-sygb-mygd-s3gb
26
vulnerability VCID-t684-yp58-hkg8
27
vulnerability VCID-t9yh-ss8z-e3cb
28
vulnerability VCID-v9mt-t1pb-hybk
29
vulnerability VCID-wg3a-j2dp-ayh4
30
vulnerability VCID-wyy6-h8bq-vyde
31
vulnerability VCID-yy6t-ybeu-qycc
32
vulnerability VCID-yzpx-3gam-y3bu
33
vulnerability VCID-zqzx-avvt-wkhm
34
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%252Bdeb10u3
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2020-8167, GHSA-xq5j-gw7f-jgj8
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-es1t-7196-4kbb
14
url VCID-gjey-bqtd-kqa1
vulnerability_id VCID-gjey-bqtd-kqa1
summary 
Action Pack contains Information Disclosure / Unintended Method Execution vulnerability
Impact
------
There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input.

Vulnerable code will look like this.

```
redirect_to(params[:some_param])
```

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
To work around this problem, it is recommended to use an allow list for valid parameters passed from the user.  For example,

```ruby
private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end

def index
  redirect_to(check(params[:some_param]))
end
```

Or force the user input to be cast to a string like this,

```ruby
def index
  redirect_to(params[:some_param].to_s)
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 5-2-information-disclosure.patch - Patch for 5.2 series
* 6-0-information-disclosure.patch - Patch for 6.0 series
* 6-1-information-disclosure.patch - Patch for 6.1 series

Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks to Benoit Côté-Jodoin from Shopify for reporting this.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22885
reference_id
reference_type
scores
0
value 0.03096
scoring_system epss
scoring_elements 0.86812
published_at 2026-04-16T12:55:00Z
1
value 0.03096
scoring_system epss
scoring_elements 0.86736
published_at 2026-04-01T12:55:00Z
2
value 0.03096
scoring_system epss
scoring_elements 0.86831
published_at 2026-04-24T12:55:00Z
3
value 0.03096
scoring_system epss
scoring_elements 0.86815
published_at 2026-04-21T12:55:00Z
4
value 0.03096
scoring_system epss
scoring_elements 0.86817
published_at 2026-04-18T12:55:00Z
5
value 0.03096
scoring_system epss
scoring_elements 0.86746
published_at 2026-04-02T12:55:00Z
6
value 0.03096
scoring_system epss
scoring_elements 0.86765
published_at 2026-04-04T12:55:00Z
7
value 0.03096
scoring_system epss
scoring_elements 0.86763
published_at 2026-04-07T12:55:00Z
8
value 0.03096
scoring_system epss
scoring_elements 0.86783
published_at 2026-04-08T12:55:00Z
9
value 0.03096
scoring_system epss
scoring_elements 0.86791
published_at 2026-04-09T12:55:00Z
10
value 0.03096
scoring_system epss
scoring_elements 0.86805
published_at 2026-04-11T12:55:00Z
11
value 0.03096
scoring_system epss
scoring_elements 0.86802
published_at 2026-04-12T12:55:00Z
12
value 0.03096
scoring_system epss
scoring_elements 0.86797
published_at 2026-04-13T12:55:00Z
13
value 0.03096
scoring_system epss
scoring_elements 0.86838
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22885
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
7
reference_url https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
8
reference_url https://hackerone.com/reports/1106652
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1106652
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22885
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22885
10
reference_url https://security.netapp.com/advisory/ntap-20210805-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210805-0009
11
reference_url https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210805-0009/
12
reference_url https://www.debian.org/security/2021/dsa-4929
reference_id
reference_type
scores
url https://www.debian.org/security/2021/dsa-4929
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1957441
reference_id 1957441
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1957441
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id 988214
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
15
reference_url https://security.archlinux.org/AVG-1920
reference_id AVG-1920
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1920
16
reference_url https://security.archlinux.org/AVG-1921
reference_id AVG-1921
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1921
17
reference_url https://security.archlinux.org/AVG-2090
reference_id AVG-2090
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2090
18
reference_url https://security.archlinux.org/AVG-2223
reference_id AVG-2223
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2223
19
reference_url https://github.com/advisories/GHSA-hjg4-8q5f-x6fm
reference_id GHSA-hjg4-8q5f-x6fm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hjg4-8q5f-x6fm
20
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-19fr-55kr-hyax
2
vulnerability VCID-1bxs-yghe-cyck
3
vulnerability VCID-1rxp-g9rz-4yb3
4
vulnerability VCID-1x8k-t8mr-3fgp
5
vulnerability VCID-31xv-z8c6-a7bg
6
vulnerability VCID-3hur-esmy-x3hr
7
vulnerability VCID-5qu2-b8gt-7qe3
8
vulnerability VCID-63gy-6njy-kbd8
9
vulnerability VCID-6ku5-mtgz-zygw
10
vulnerability VCID-6pxd-xsaw-tuer
11
vulnerability VCID-895a-ydc5-zfg6
12
vulnerability VCID-a6sp-18av-wya6
13
vulnerability VCID-ce39-j83r-6ug9
14
vulnerability VCID-dd9p-x7k3-37ea
15
vulnerability VCID-drg6-gj1f-h7ea
16
vulnerability VCID-es1t-7196-4kbb
17
vulnerability VCID-g3rk-djae-pkeh
18
vulnerability VCID-gjey-bqtd-kqa1
19
vulnerability VCID-hppf-a715-r7b2
20
vulnerability VCID-jwun-grgg-2uet
21
vulnerability VCID-mnkw-23eu-bkgc
22
vulnerability VCID-p5mc-r1rg-5ff7
23
vulnerability VCID-sfyc-jewr-wuf5
24
vulnerability VCID-sgdb-985e-4uej
25
vulnerability VCID-sygb-mygd-s3gb
26
vulnerability VCID-t684-yp58-hkg8
27
vulnerability VCID-t9yh-ss8z-e3cb
28
vulnerability VCID-v9mt-t1pb-hybk
29
vulnerability VCID-wg3a-j2dp-ayh4
30
vulnerability VCID-wyy6-h8bq-vyde
31
vulnerability VCID-yy6t-ybeu-qycc
32
vulnerability VCID-yzpx-3gam-y3bu
33
vulnerability VCID-zqzx-avvt-wkhm
34
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%252Bdeb10u3
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2021-22885, GHSA-hjg4-8q5f-x6fm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gjey-bqtd-kqa1
15
url VCID-hppf-a715-r7b2
vulnerability_id VCID-hppf-a715-r7b2
summary 
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22795
reference_id
reference_type
scores
0
value 0.01304
scoring_system epss
scoring_elements 0.79782
published_at 2026-04-21T12:55:00Z
1
value 0.01304
scoring_system epss
scoring_elements 0.79819
published_at 2026-04-26T12:55:00Z
2
value 0.01304
scoring_system epss
scoring_elements 0.79812
published_at 2026-04-24T12:55:00Z
3
value 0.01523
scoring_system epss
scoring_elements 0.81274
published_at 2026-04-12T12:55:00Z
4
value 0.01523
scoring_system epss
scoring_elements 0.81288
published_at 2026-04-11T12:55:00Z
5
value 0.01523
scoring_system epss
scoring_elements 0.81262
published_at 2026-04-08T12:55:00Z
6
value 0.01523
scoring_system epss
scoring_elements 0.81305
published_at 2026-04-18T12:55:00Z
7
value 0.01523
scoring_system epss
scoring_elements 0.81303
published_at 2026-04-16T12:55:00Z
8
value 0.01523
scoring_system epss
scoring_elements 0.81266
published_at 2026-04-13T12:55:00Z
9
value 0.01523
scoring_system epss
scoring_elements 0.8121
published_at 2026-04-02T12:55:00Z
10
value 0.01523
scoring_system epss
scoring_elements 0.81234
published_at 2026-04-07T12:55:00Z
11
value 0.01523
scoring_system epss
scoring_elements 0.81267
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22795
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
16
reference_url https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
17
reference_url https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
18
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
19
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
20
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
21
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164799
reference_id 2164799
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164799
24
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22795
reference_id CVE-2023-22795
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22795
25
reference_url https://github.com/advisories/GHSA-8xww-x3g3-6jcv
reference_id GHSA-8xww-x3g3-6jcv
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8xww-x3g3-6jcv
26
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2023-22795, GHSA-8xww-x3g3-6jcv, GMS-2023-56
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hppf-a715-r7b2
16
url VCID-jwun-grgg-2uet
vulnerability_id VCID-jwun-grgg-2uet
summary 
Exposure of information in Action Pack
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23633
reference_id
reference_type
scores
0
value 0.00303
scoring_system epss
scoring_elements 0.53568
published_at 2026-04-24T12:55:00Z
1
value 0.00303
scoring_system epss
scoring_elements 0.53606
published_at 2026-04-21T12:55:00Z
2
value 0.00303
scoring_system epss
scoring_elements 0.5358
published_at 2026-04-26T12:55:00Z
3
value 0.00367
scoring_system epss
scoring_elements 0.58669
published_at 2026-04-09T12:55:00Z
4
value 0.00367
scoring_system epss
scoring_elements 0.58662
published_at 2026-04-08T12:55:00Z
5
value 0.00367
scoring_system epss
scoring_elements 0.58623
published_at 2026-04-02T12:55:00Z
6
value 0.00367
scoring_system epss
scoring_elements 0.58643
published_at 2026-04-04T12:55:00Z
7
value 0.00367
scoring_system epss
scoring_elements 0.5861
published_at 2026-04-07T12:55:00Z
8
value 0.00367
scoring_system epss
scoring_elements 0.5868
published_at 2026-04-16T12:55:00Z
9
value 0.00367
scoring_system epss
scoring_elements 0.58648
published_at 2026-04-13T12:55:00Z
10
value 0.00367
scoring_system epss
scoring_elements 0.58667
published_at 2026-04-12T12:55:00Z
11
value 0.00367
scoring_system epss
scoring_elements 0.58687
published_at 2026-04-11T12:55:00Z
12
value 0.00367
scoring_system epss
scoring_elements 0.58685
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23633
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23634
reference_id
reference_type
scores
0
value 0.00441
scoring_system epss
scoring_elements 0.6325
published_at 2026-04-08T12:55:00Z
1
value 0.00441
scoring_system epss
scoring_elements 0.6329
published_at 2026-04-26T12:55:00Z
2
value 0.00441
scoring_system epss
scoring_elements 0.63276
published_at 2026-04-24T12:55:00Z
3
value 0.00441
scoring_system epss
scoring_elements 0.63256
published_at 2026-04-21T12:55:00Z
4
value 0.00441
scoring_system epss
scoring_elements 0.63277
published_at 2026-04-18T12:55:00Z
5
value 0.00441
scoring_system epss
scoring_elements 0.6327
published_at 2026-04-16T12:55:00Z
6
value 0.00441
scoring_system epss
scoring_elements 0.63233
published_at 2026-04-13T12:55:00Z
7
value 0.00441
scoring_system epss
scoring_elements 0.63269
published_at 2026-04-12T12:55:00Z
8
value 0.00441
scoring_system epss
scoring_elements 0.63284
published_at 2026-04-11T12:55:00Z
9
value 0.00441
scoring_system epss
scoring_elements 0.63267
published_at 2026-04-09T12:55:00Z
10
value 0.00441
scoring_system epss
scoring_elements 0.63198
published_at 2026-04-07T12:55:00Z
11
value 0.00453
scoring_system epss
scoring_elements 0.63789
published_at 2026-04-04T12:55:00Z
12
value 0.00453
scoring_system epss
scoring_elements 0.63763
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23634
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
16
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
17
reference_url https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
18
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
19
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
20
reference_url https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
21
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
22
reference_url https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
23
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
24
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml
25
reference_url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3
scoring_elements
1
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
26
reference_url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
27
reference_url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
28
reference_url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
29
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
30
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
31
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
32
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
33
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
34
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
35
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
36
reference_url https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
37
reference_url https://security.gentoo.org/glsa/202208-28
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202208-28
38
reference_url https://security.netapp.com/advisory/ntap-20240119-0013
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240119-0013
39
reference_url https://security.netapp.com/advisory/ntap-20240119-0013/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240119-0013/
40
reference_url https://www.debian.org/security/2022/dsa-5146
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2022/dsa-5146
41
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
42
reference_url http://www.openwall.com/lists/oss-security/2022/02/11/5
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2022/02/11/5
43
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
reference_id 1005389
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
44
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391
reference_id 1005391
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391
45
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2054211
reference_id 2054211
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2054211
46
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2063149
reference_id 2063149
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2063149
47
reference_url https://security.archlinux.org/AVG-2764
reference_id AVG-2764
reference_type
scores
0
value High
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2764
48
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23633
reference_id CVE-2022-23633
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23633
49
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23634
reference_id CVE-2022-23634
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23634
50
reference_url https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
reference_id GHSA-rmj8-8hhh-gv5h
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
51
reference_url https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
reference_id GHSA-rmj8-8hhh-gv5h
reference_type
scores
0
value 8.0
scoring_system cvssv3
scoring_elements
1
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
52
reference_url https://github.com/advisories/GHSA-wh98-p28r-vrc9
reference_id GHSA-wh98-p28r-vrc9
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-wh98-p28r-vrc9
53
reference_url https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
reference_id GHSA-wh98-p28r-vrc9
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
54
reference_url https://access.redhat.com/errata/RHSA-2022:5498
reference_id RHSA-2022:5498
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5498
55
reference_url https://usn.ubuntu.com/6682-1/
reference_id USN-6682-1
reference_type
scores
url https://usn.ubuntu.com/6682-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2022-23633, CVE-2022-23634, GHSA-rmj8-8hhh-gv5h, GHSA-wh98-p28r-vrc9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jwun-grgg-2uet
17
url VCID-mnkw-23eu-bkgc
vulnerability_id VCID-mnkw-23eu-bkgc
summary 
Ability to forge per-form CSRF tokens in Rails
It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Impact
------

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8166
reference_id
reference_type
scores
0
value 0.00443
scoring_system epss
scoring_elements 0.63351
published_at 2026-04-24T12:55:00Z
1
value 0.00443
scoring_system epss
scoring_elements 0.63225
published_at 2026-04-01T12:55:00Z
2
value 0.00443
scoring_system epss
scoring_elements 0.63284
published_at 2026-04-02T12:55:00Z
3
value 0.00443
scoring_system epss
scoring_elements 0.63312
published_at 2026-04-04T12:55:00Z
4
value 0.00443
scoring_system epss
scoring_elements 0.63278
published_at 2026-04-07T12:55:00Z
5
value 0.00443
scoring_system epss
scoring_elements 0.63329
published_at 2026-04-08T12:55:00Z
6
value 0.00443
scoring_system epss
scoring_elements 0.63347
published_at 2026-04-09T12:55:00Z
7
value 0.00443
scoring_system epss
scoring_elements 0.63364
published_at 2026-04-26T12:55:00Z
8
value 0.00443
scoring_system epss
scoring_elements 0.63348
published_at 2026-04-12T12:55:00Z
9
value 0.00443
scoring_system epss
scoring_elements 0.63311
published_at 2026-04-13T12:55:00Z
10
value 0.00443
scoring_system epss
scoring_elements 0.63345
published_at 2026-04-16T12:55:00Z
11
value 0.00443
scoring_system epss
scoring_elements 0.63353
published_at 2026-04-18T12:55:00Z
12
value 0.00443
scoring_system epss
scoring_elements 0.63332
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8166
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml
11
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements
1
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
12
reference_url https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
reference_id
reference_type
scores
url https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
13
reference_url https://hackerone.com/reports/732415
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/732415
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8166
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8166
15
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
url https://www.debian.org/security/2020/dsa-4766
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843152
reference_id 1843152
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843152
17
reference_url https://github.com/advisories/GHSA-jp5v-5gx4-jmj9
reference_id GHSA-jp5v-5gx4-jmj9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jp5v-5gx4-jmj9
18
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-19fr-55kr-hyax
2
vulnerability VCID-1bxs-yghe-cyck
3
vulnerability VCID-1rxp-g9rz-4yb3
4
vulnerability VCID-1x8k-t8mr-3fgp
5
vulnerability VCID-31xv-z8c6-a7bg
6
vulnerability VCID-3hur-esmy-x3hr
7
vulnerability VCID-5qu2-b8gt-7qe3
8
vulnerability VCID-63gy-6njy-kbd8
9
vulnerability VCID-6ku5-mtgz-zygw
10
vulnerability VCID-6pxd-xsaw-tuer
11
vulnerability VCID-895a-ydc5-zfg6
12
vulnerability VCID-a6sp-18av-wya6
13
vulnerability VCID-ce39-j83r-6ug9
14
vulnerability VCID-dd9p-x7k3-37ea
15
vulnerability VCID-drg6-gj1f-h7ea
16
vulnerability VCID-es1t-7196-4kbb
17
vulnerability VCID-g3rk-djae-pkeh
18
vulnerability VCID-gjey-bqtd-kqa1
19
vulnerability VCID-hppf-a715-r7b2
20
vulnerability VCID-jwun-grgg-2uet
21
vulnerability VCID-mnkw-23eu-bkgc
22
vulnerability VCID-p5mc-r1rg-5ff7
23
vulnerability VCID-sfyc-jewr-wuf5
24
vulnerability VCID-sgdb-985e-4uej
25
vulnerability VCID-sygb-mygd-s3gb
26
vulnerability VCID-t684-yp58-hkg8
27
vulnerability VCID-t9yh-ss8z-e3cb
28
vulnerability VCID-v9mt-t1pb-hybk
29
vulnerability VCID-wg3a-j2dp-ayh4
30
vulnerability VCID-wyy6-h8bq-vyde
31
vulnerability VCID-yy6t-ybeu-qycc
32
vulnerability VCID-yzpx-3gam-y3bu
33
vulnerability VCID-zqzx-avvt-wkhm
34
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%252Bdeb10u3
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2020-8166, GHSA-jp5v-5gx4-jmj9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mnkw-23eu-bkgc
18
url VCID-p5mc-r1rg-5ff7
vulnerability_id VCID-p5mc-r1rg-5ff7
summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-27777
reference_id
reference_type
scores
0
value 0.00911
scoring_system epss
scoring_elements 0.75896
published_at 2026-04-26T12:55:00Z
1
value 0.00911
scoring_system epss
scoring_elements 0.75887
published_at 2026-04-24T12:55:00Z
2
value 0.00911
scoring_system epss
scoring_elements 0.75849
published_at 2026-04-21T12:55:00Z
3
value 0.00911
scoring_system epss
scoring_elements 0.75864
published_at 2026-04-18T12:55:00Z
4
value 0.00911
scoring_system epss
scoring_elements 0.7586
published_at 2026-04-16T12:55:00Z
5
value 0.00911
scoring_system epss
scoring_elements 0.75823
published_at 2026-04-13T12:55:00Z
6
value 0.00911
scoring_system epss
scoring_elements 0.7578
published_at 2026-04-07T12:55:00Z
7
value 0.00911
scoring_system epss
scoring_elements 0.75801
published_at 2026-04-04T12:55:00Z
8
value 0.00911
scoring_system epss
scoring_elements 0.75768
published_at 2026-04-02T12:55:00Z
9
value 0.00911
scoring_system epss
scoring_elements 0.75829
published_at 2026-04-12T12:55:00Z
10
value 0.00911
scoring_system epss
scoring_elements 0.75848
published_at 2026-04-11T12:55:00Z
11
value 0.00911
scoring_system epss
scoring_elements 0.75824
published_at 2026-04-09T12:55:00Z
12
value 0.00911
scoring_system epss
scoring_elements 0.75812
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-27777
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85
16
reference_url https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
17
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
18
reference_url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
19
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982
reference_id 1016982
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2080296
reference_id 2080296
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2080296
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-27777
reference_id CVE-2022-27777
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-27777
23
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
reference_id CVE-2022-27777.YML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
24
reference_url https://github.com/advisories/GHSA-ch3h-j2vf-95pv
reference_id GHSA-ch3h-j2vf-95pv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ch3h-j2vf-95pv
25
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2022-27777, GHSA-ch3h-j2vf-95pv, GMS-2022-1138
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p5mc-r1rg-5ff7
19
url VCID-t684-yp58-hkg8
vulnerability_id VCID-t684-yp58-hkg8
summary 
ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

```
data = cache.fetch("demo", raw: true) { untrusted_string }
```
Versions Affected:  rails < 5.2.5, rails < 6.0.4
Not affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
  
Impact
------
Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds
-----------
It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the `raw` argument should be double-checked to ensure that they conform to the expected format.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8165
reference_id
reference_type
scores
0
value 0.90128
scoring_system epss
scoring_elements 0.99585
published_at 2026-04-02T12:55:00Z
1
value 0.90128
scoring_system epss
scoring_elements 0.99592
published_at 2026-04-26T12:55:00Z
2
value 0.90128
scoring_system epss
scoring_elements 0.99591
published_at 2026-04-24T12:55:00Z
3
value 0.90128
scoring_system epss
scoring_elements 0.9959
published_at 2026-04-18T12:55:00Z
4
value 0.90128
scoring_system epss
scoring_elements 0.99589
published_at 2026-04-16T12:55:00Z
5
value 0.90128
scoring_system epss
scoring_elements 0.99588
published_at 2026-04-13T12:55:00Z
6
value 0.90128
scoring_system epss
scoring_elements 0.99587
published_at 2026-04-07T12:55:00Z
7
value 0.90128
scoring_system epss
scoring_elements 0.99586
published_at 2026-04-04T12:55:00Z
8
value 0.90128
scoring_system epss
scoring_elements 0.99584
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8165
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
12
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
13
reference_url https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
14
reference_url https://hackerone.com/reports/413388
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/413388
15
reference_url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
16
reference_url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8165
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8165
18
reference_url https://security.netapp.com/advisory/ntap-20250509-0002
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250509-0002
19
reference_url https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
20
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843072
reference_id 1843072
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843072
22
reference_url https://github.com/advisories/GHSA-2p68-f74v-9wc6
reference_id GHSA-2p68-f74v-9wc6
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2p68-f74v-9wc6
23
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-19fr-55kr-hyax
2
vulnerability VCID-1bxs-yghe-cyck
3
vulnerability VCID-1rxp-g9rz-4yb3
4
vulnerability VCID-1x8k-t8mr-3fgp
5
vulnerability VCID-31xv-z8c6-a7bg
6
vulnerability VCID-3hur-esmy-x3hr
7
vulnerability VCID-5qu2-b8gt-7qe3
8
vulnerability VCID-63gy-6njy-kbd8
9
vulnerability VCID-6ku5-mtgz-zygw
10
vulnerability VCID-6pxd-xsaw-tuer
11
vulnerability VCID-895a-ydc5-zfg6
12
vulnerability VCID-a6sp-18av-wya6
13
vulnerability VCID-ce39-j83r-6ug9
14
vulnerability VCID-dd9p-x7k3-37ea
15
vulnerability VCID-drg6-gj1f-h7ea
16
vulnerability VCID-es1t-7196-4kbb
17
vulnerability VCID-g3rk-djae-pkeh
18
vulnerability VCID-gjey-bqtd-kqa1
19
vulnerability VCID-hppf-a715-r7b2
20
vulnerability VCID-jwun-grgg-2uet
21
vulnerability VCID-mnkw-23eu-bkgc
22
vulnerability VCID-p5mc-r1rg-5ff7
23
vulnerability VCID-sfyc-jewr-wuf5
24
vulnerability VCID-sgdb-985e-4uej
25
vulnerability VCID-sygb-mygd-s3gb
26
vulnerability VCID-t684-yp58-hkg8
27
vulnerability VCID-t9yh-ss8z-e3cb
28
vulnerability VCID-v9mt-t1pb-hybk
29
vulnerability VCID-wg3a-j2dp-ayh4
30
vulnerability VCID-wyy6-h8bq-vyde
31
vulnerability VCID-yy6t-ybeu-qycc
32
vulnerability VCID-yzpx-3gam-y3bu
33
vulnerability VCID-zqzx-avvt-wkhm
34
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%252Bdeb10u3
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2020-8165, GHSA-2p68-f74v-9wc6
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t684-yp58-hkg8
20
url VCID-t9yh-ss8z-e3cb
vulnerability_id VCID-t9yh-ss8z-e3cb
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22794.json
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22794.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22794
reference_id
reference_type
scores
0
value 0.05757
scoring_system epss
scoring_elements 0.90489
published_at 2026-04-26T12:55:00Z
1
value 0.05757
scoring_system epss
scoring_elements 0.90477
published_at 2026-04-21T12:55:00Z
2
value 0.06659
scoring_system epss
scoring_elements 0.91216
published_at 2026-04-13T12:55:00Z
3
value 0.06659
scoring_system epss
scoring_elements 0.91239
published_at 2026-04-18T12:55:00Z
4
value 0.06659
scoring_system epss
scoring_elements 0.9124
published_at 2026-04-16T12:55:00Z
5
value 0.06659
scoring_system epss
scoring_elements 0.912
published_at 2026-04-08T12:55:00Z
6
value 0.06659
scoring_system epss
scoring_elements 0.91186
published_at 2026-04-07T12:55:00Z
7
value 0.06659
scoring_system epss
scoring_elements 0.91179
published_at 2026-04-04T12:55:00Z
8
value 0.06659
scoring_system epss
scoring_elements 0.9117
published_at 2026-04-02T12:55:00Z
9
value 0.06659
scoring_system epss
scoring_elements 0.91213
published_at 2026-04-11T12:55:00Z
10
value 0.06659
scoring_system epss
scoring_elements 0.91206
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22794
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117
13
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
14
reference_url https://github.com/rails/rails/commit/d7aba06953f9fa789c411676b941d20df8ef73de
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/d7aba06953f9fa789c411676b941d20df8ef73de
15
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2023-22794.yml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2023-22794.yml
17
reference_url https://security.netapp.com/advisory/ntap-20240202-0008
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0008
18
reference_url https://security.netapp.com/advisory/ntap-20240202-0008/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240202-0008/
19
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164785
reference_id 2164785
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164785
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22794
reference_id CVE-2023-22794
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22794
23
reference_url https://github.com/advisories/GHSA-hq7p-j377-6v63
reference_id GHSA-hq7p-j377-6v63
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hq7p-j377-6v63
24
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2023-22794, GHSA-hq7p-j377-6v63, GMS-2023-60
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9yh-ss8z-e3cb
21
url VCID-v9mt-t1pb-hybk
vulnerability_id VCID-v9mt-t1pb-hybk
summary 
Cross site scripting vulnerability in ActionView
There is a possible cross site scripting (XSS) vulnerability in ActionView's JavaScript literal escape helpers.  Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks.

### Impact

There is a possible XSS vulnerability in the `j` and `escape_javascript` methods in ActionView.  These methods are used for escaping JavaScript string literals.  Impacted code will look something like this:

```erb
<script>let a = `<%= j unknown_input %>`</script>
```

or

```erb
<script>let a = `<%= escape_javascript unknown_input %>`</script>
```

### Releases

The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.

### Workarounds

For those that can't upgrade, the following monkey patch may be used:

```ruby
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
  {
    "`" => "\\`",
    "$" => "\\$"
  }
)

module ActionView::Helpers::JavaScriptHelper
  alias :old_ej :escape_javascript
  alias :old_j :j

  def escape_javascript(javascript)
    javascript = javascript.to_s
    if javascript.empty?
      result = ""
    else
      result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
    end
    javascript.html_safe? ? result.html_safe : result
  end

  alias :j :escape_javascript
end
```

### Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* [5-2-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-5-2-js-helper-xss-patch) - Patch for 5.2 series
* [6-0-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-6-0-js-helper-xss-patch) - Patch for 6.0 series

Please note that only the 5.2 and 6.0 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

### Credits

Thanks to Jesse Campos from Chef Secure
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5267.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5267.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-5267
reference_id
reference_type
scores
0
value 0.00887
scoring_system epss
scoring_elements 0.75409
published_at 2026-04-02T12:55:00Z
1
value 0.00887
scoring_system epss
scoring_elements 0.75535
published_at 2026-04-26T12:55:00Z
2
value 0.00887
scoring_system epss
scoring_elements 0.7553
published_at 2026-04-24T12:55:00Z
3
value 0.00887
scoring_system epss
scoring_elements 0.75504
published_at 2026-04-16T12:55:00Z
4
value 0.00887
scoring_system epss
scoring_elements 0.75461
published_at 2026-04-13T12:55:00Z
5
value 0.00887
scoring_system epss
scoring_elements 0.75472
published_at 2026-04-12T12:55:00Z
6
value 0.00887
scoring_system epss
scoring_elements 0.75493
published_at 2026-04-11T12:55:00Z
7
value 0.00887
scoring_system epss
scoring_elements 0.75474
published_at 2026-04-09T12:55:00Z
8
value 0.00887
scoring_system epss
scoring_elements 0.75465
published_at 2026-04-08T12:55:00Z
9
value 0.00887
scoring_system epss
scoring_elements 0.75406
published_at 2026-04-01T12:55:00Z
10
value 0.00887
scoring_system epss
scoring_elements 0.75422
published_at 2026-04-07T12:55:00Z
11
value 0.00887
scoring_system epss
scoring_elements 0.75441
published_at 2026-04-04T12:55:00Z
12
value 0.00887
scoring_system epss
scoring_elements 0.75498
published_at 2026-04-21T12:55:00Z
13
value 0.00887
scoring_system epss
scoring_elements 0.75509
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-5267
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5267
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5267
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a
6
reference_url https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-5267.yml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-5267.yml
8
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3
scoring_elements
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
9
reference_url https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-5267
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:S/C:N/I:P/A:N
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
2
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-5267
14
reference_url http://www.openwall.com/lists/oss-security/2020/03/19/1
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2020/03/19/1
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1831528
reference_id 1831528
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1831528
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954304
reference_id 954304
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954304
17
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:actionview:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:rubyonrails:actionview:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:actionview:*:*:*:*:*:*:*:*
18
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
19
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
reference_id cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
20
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
reference_id cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
21
reference_url https://github.com/advisories/GHSA-65cv-r6x7-79hv
reference_id GHSA-65cv-r6x7-79hv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-65cv-r6x7-79hv
22
reference_url https://access.redhat.com/errata/RHSA-2020:4366
reference_id RHSA-2020:4366
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4366
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2020-5267, GHSA-65cv-r6x7-79hv
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v9mt-t1pb-hybk
22
url VCID-wg3a-j2dp-ayh4
vulnerability_id VCID-wg3a-j2dp-ayh4
summary 
Possible DoS Vulnerability in Action Controller Token Authentication
There is a possible DoS vulnerability in the Token Authentication logic in Action Controller.

Versions Affected:  >= 4.0.0
Not affected:       < 4.0.0
Fixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact
------
Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.  Impacted code will look something like this:

```
class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end
```

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
The following monkey patch placed in an initializer can be used to work around the issue:

```ruby
module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 5-2-http-authentication-dos.patch - Patch for 5.2 series
* 6-0-http-authentication-dos.patch - Patch for 6.0 series
* 6-1-http-authentication-dos.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------
Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22904
reference_id
reference_type
scores
0
value 0.07856
scoring_system epss
scoring_elements 0.92018
published_at 2026-04-26T12:55:00Z
1
value 0.07856
scoring_system epss
scoring_elements 0.9202
published_at 2026-04-24T12:55:00Z
2
value 0.07856
scoring_system epss
scoring_elements 0.92015
published_at 2026-04-21T12:55:00Z
3
value 0.07856
scoring_system epss
scoring_elements 0.92019
published_at 2026-04-18T12:55:00Z
4
value 0.07856
scoring_system epss
scoring_elements 0.92022
published_at 2026-04-16T12:55:00Z
5
value 0.07856
scoring_system epss
scoring_elements 0.92007
published_at 2026-04-12T12:55:00Z
6
value 0.07856
scoring_system epss
scoring_elements 0.91966
published_at 2026-04-01T12:55:00Z
7
value 0.07856
scoring_system epss
scoring_elements 0.92004
published_at 2026-04-13T12:55:00Z
8
value 0.07856
scoring_system epss
scoring_elements 0.92
published_at 2026-04-08T12:55:00Z
9
value 0.07856
scoring_system epss
scoring_elements 0.91987
published_at 2026-04-07T12:55:00Z
10
value 0.07856
scoring_system epss
scoring_elements 0.91981
published_at 2026-04-04T12:55:00Z
11
value 0.07856
scoring_system epss
scoring_elements 0.91974
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22904
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
5
reference_url https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://github.com/rails/rails/releases/tag/v5.2.4.6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v5.2.4.6
9
reference_url https://github.com/rails/rails/releases/tag/v5.2.6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v5.2.6
10
reference_url https://github.com/rails/rails/releases/tag/v6.0.3.7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.0.3.7
11
reference_url https://github.com/rails/rails/releases/tag/v6.1.3.2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.3.2
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml
13
reference_url https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
14
reference_url https://hackerone.com/reports/1101125
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1101125
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22904
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22904
16
reference_url https://security.netapp.com/advisory/ntap-20210805-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210805-0009
17
reference_url https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210805-0009/
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1961379
reference_id 1961379
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1961379
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id 988214
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
20
reference_url https://security.archlinux.org/AVG-1920
reference_id AVG-1920
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1920
21
reference_url https://security.archlinux.org/AVG-1921
reference_id AVG-1921
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1921
22
reference_url https://security.archlinux.org/AVG-2090
reference_id AVG-2090
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2090
23
reference_url https://security.archlinux.org/AVG-2223
reference_id AVG-2223
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2223
24
reference_url https://github.com/advisories/GHSA-7wjx-3g7j-8584
reference_id GHSA-7wjx-3g7j-8584
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7wjx-3g7j-8584
25
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-19fr-55kr-hyax
2
vulnerability VCID-1bxs-yghe-cyck
3
vulnerability VCID-1rxp-g9rz-4yb3
4
vulnerability VCID-1x8k-t8mr-3fgp
5
vulnerability VCID-31xv-z8c6-a7bg
6
vulnerability VCID-3hur-esmy-x3hr
7
vulnerability VCID-5qu2-b8gt-7qe3
8
vulnerability VCID-63gy-6njy-kbd8
9
vulnerability VCID-6ku5-mtgz-zygw
10
vulnerability VCID-6pxd-xsaw-tuer
11
vulnerability VCID-895a-ydc5-zfg6
12
vulnerability VCID-a6sp-18av-wya6
13
vulnerability VCID-ce39-j83r-6ug9
14
vulnerability VCID-dd9p-x7k3-37ea
15
vulnerability VCID-drg6-gj1f-h7ea
16
vulnerability VCID-es1t-7196-4kbb
17
vulnerability VCID-g3rk-djae-pkeh
18
vulnerability VCID-gjey-bqtd-kqa1
19
vulnerability VCID-hppf-a715-r7b2
20
vulnerability VCID-jwun-grgg-2uet
21
vulnerability VCID-mnkw-23eu-bkgc
22
vulnerability VCID-p5mc-r1rg-5ff7
23
vulnerability VCID-sfyc-jewr-wuf5
24
vulnerability VCID-sgdb-985e-4uej
25
vulnerability VCID-sygb-mygd-s3gb
26
vulnerability VCID-t684-yp58-hkg8
27
vulnerability VCID-t9yh-ss8z-e3cb
28
vulnerability VCID-v9mt-t1pb-hybk
29
vulnerability VCID-wg3a-j2dp-ayh4
30
vulnerability VCID-wyy6-h8bq-vyde
31
vulnerability VCID-yy6t-ybeu-qycc
32
vulnerability VCID-yzpx-3gam-y3bu
33
vulnerability VCID-zqzx-avvt-wkhm
34
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%252Bdeb10u3
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2021-22904, GHSA-7wjx-3g7j-8584
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wg3a-j2dp-ayh4
23
url VCID-wyy6-h8bq-vyde
vulnerability_id VCID-wyy6-h8bq-vyde
summary 
Denial of Service in Action Dispatch
Impact
------
There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
The following monkey patch placed in an initializer can be used to work around the issue.

```ruby
module Mime
  class Type
    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
  end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.0 series
* 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks to Security Curious <security...@pm.me> for reporting this!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22902
reference_id
reference_type
scores
0
value 0.01063
scoring_system epss
scoring_elements 0.77732
published_at 2026-04-26T12:55:00Z
1
value 0.01063
scoring_system epss
scoring_elements 0.77723
published_at 2026-04-24T12:55:00Z
2
value 0.01063
scoring_system epss
scoring_elements 0.77693
published_at 2026-04-21T12:55:00Z
3
value 0.01063
scoring_system epss
scoring_elements 0.77699
published_at 2026-04-18T12:55:00Z
4
value 0.01063
scoring_system epss
scoring_elements 0.77701
published_at 2026-04-16T12:55:00Z
5
value 0.01063
scoring_system epss
scoring_elements 0.77664
published_at 2026-04-13T12:55:00Z
6
value 0.01063
scoring_system epss
scoring_elements 0.77665
published_at 2026-04-12T12:55:00Z
7
value 0.01063
scoring_system epss
scoring_elements 0.77612
published_at 2026-04-02T12:55:00Z
8
value 0.01063
scoring_system epss
scoring_elements 0.77639
published_at 2026-04-04T12:55:00Z
9
value 0.01063
scoring_system epss
scoring_elements 0.77605
published_at 2026-04-01T12:55:00Z
10
value 0.01063
scoring_system epss
scoring_elements 0.77681
published_at 2026-04-11T12:55:00Z
11
value 0.01063
scoring_system epss
scoring_elements 0.77655
published_at 2026-04-09T12:55:00Z
12
value 0.01063
scoring_system epss
scoring_elements 0.77649
published_at 2026-04-08T12:55:00Z
13
value 0.01063
scoring_system epss
scoring_elements 0.77621
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22902
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902
3
reference_url https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rails/rails/releases/tag/v6.0.3.7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.0.3.7
6
reference_url https://github.com/rails/rails/releases/tag/v6.1.3.2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.3.2
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml
8
reference_url https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c
9
reference_url https://hackerone.com/reports/1138654
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1138654
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22902
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22902
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1961382
reference_id 1961382
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1961382
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id 988214
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
13
reference_url https://security.archlinux.org/AVG-2090
reference_id AVG-2090
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2090
14
reference_url https://security.archlinux.org/AVG-2223
reference_id AVG-2223
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2223
15
reference_url https://github.com/advisories/GHSA-g8ww-46x2-2p65
reference_id GHSA-g8ww-46x2-2p65
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g8ww-46x2-2p65
16
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2021-22902, GHSA-g8ww-46x2-2p65
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wyy6-h8bq-vyde
24
url VCID-zy7d-3db6-sydw
vulnerability_id VCID-zy7d-3db6-sydw
summary 
Cross-site scripting in actionpack
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

Workarounds
-----------
Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb: `config.middleware.delete ActionDispatch::ActionableExceptions`
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8264.json
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8264.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8264
reference_id
reference_type
scores
0
value 0.00346
scoring_system epss
scoring_elements 0.57143
published_at 2026-04-26T12:55:00Z
1
value 0.00346
scoring_system epss
scoring_elements 0.57122
published_at 2026-04-24T12:55:00Z
2
value 0.00346
scoring_system epss
scoring_elements 0.5719
published_at 2026-04-21T12:55:00Z
3
value 0.00346
scoring_system epss
scoring_elements 0.5721
published_at 2026-04-18T12:55:00Z
4
value 0.00346
scoring_system epss
scoring_elements 0.57186
published_at 2026-04-13T12:55:00Z
5
value 0.00346
scoring_system epss
scoring_elements 0.57206
published_at 2026-04-12T12:55:00Z
6
value 0.00346
scoring_system epss
scoring_elements 0.57225
published_at 2026-04-11T12:55:00Z
7
value 0.00346
scoring_system epss
scoring_elements 0.57213
published_at 2026-04-16T12:55:00Z
8
value 0.00346
scoring_system epss
scoring_elements 0.57211
published_at 2026-04-08T12:55:00Z
9
value 0.00346
scoring_system epss
scoring_elements 0.5716
published_at 2026-04-07T12:55:00Z
10
value 0.00346
scoring_system epss
scoring_elements 0.57065
published_at 2026-04-01T12:55:00Z
11
value 0.00346
scoring_system epss
scoring_elements 0.57159
published_at 2026-04-02T12:55:00Z
12
value 0.00346
scoring_system epss
scoring_elements 0.57183
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8264
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8264
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8264
3
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8264.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8264.yml
4
reference_url https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk
5
reference_url https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ
6
reference_url https://hackerone.com/reports/904059
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/904059
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8264
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8264
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1886554
reference_id 1886554
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1886554
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971988
reference_id 971988
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971988
10
reference_url https://github.com/advisories/GHSA-35mm-cc6r-8fjp
reference_id GHSA-35mm-cc6r-8fjp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-35mm-cc6r-8fjp
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3hur-esmy-x3hr
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6pxd-xsaw-tuer
4
vulnerability VCID-96qr-hdbp-p7ff
5
vulnerability VCID-a6z9-5n6k-2kak
6
vulnerability VCID-ad6q-vtdf-syb6
7
vulnerability VCID-dd9p-x7k3-37ea
8
vulnerability VCID-g3rk-djae-pkeh
9
vulnerability VCID-hatd-vkun-13hj
10
vulnerability VCID-n8r7-wthv-fqaj
11
vulnerability VCID-qxe4-dubt-1kfp
12
vulnerability VCID-sarm-n22v-akcm
13
vulnerability VCID-sfyc-jewr-wuf5
14
vulnerability VCID-sgdb-985e-4uej
15
vulnerability VCID-sygb-mygd-s3gb
16
vulnerability VCID-wpmk-wgpm-cuee
17
vulnerability VCID-yy6t-ybeu-qycc
18
vulnerability VCID-yzpx-3gam-y3bu
19
vulnerability VCID-zqzx-avvt-wkhm
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2
aliases CVE-2020-8264, GHSA-35mm-cc6r-8fjp
risk_score 3.5
exploitability 0.5
weighted_severity 6.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zy7d-3db6-sydw
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2